Agent_r.XJ Trojan, URGENT!

Warren1

In Runtime
Messages
168
Hello,

A day ago, my aunt decided to use my computer for some web surfing, that she said was "safe". Even though I doubted it, since she's my aunt, I was obliged to loan her my nice laptop.

Today when I finally got access to my laptop again, I knew something was really screwed up. My search results kept being redirected to weird sites, some fake AV tool kept blasting me with messages, and Task Manager wouldn't show me processes from all users.

I sort of pride myself on being able to fix computers, so I tried to see if I could fix it myself.

I ran AVG which turned up two viruses, one of which I could delete, and the second which was not able to be deleted.

Here is the log:

"C:\Windows\System32\wuauclt.exe (5152):\memory_00010000";"Trojan horse Agent_r.XJ";"Object is inaccessible."
"C:\Windows\System32\wuauclt.exe (5152)";"Trojan horse Agent_r.XJ";""
"C:\Windows\System32\sysprep\CRYPTBASE.DLL";"Trojan horse Generic21.CPEO";"Infected"
"C:\Windows\explorer.exe (728):\memory_00010000";"Trojan horse Agent_r.XJ";"Object is inaccessible."
"C:\Windows\explorer.exe (728)";"Trojan horse Agent_r.XJ";""
"C:\Program Files\Mozilla Firefox\firefox.exe (6000):\memory_00010000";"Trojan horse Agent_r.XJ";"Object is inaccessible."
"C:\Program Files\Mozilla Firefox\firefox.exe (6000)";"Trojan horse Agent_r.XJ";""

After using AVG, I decided to open up Malwarebytes, and Spybot S&D. Neither of them would open up and returned an error message like this:

"C:\Program Files\Malwarebytes' Anti Malware\mbam.exe

The dependency service or group failed to start."

I tried to reinstall Malwarebytes, but the site was redirected to some virus protector named "STOPZilla", and also blocked the installer.

I then thought about running HJT, but again the site was again redirected to 5 different search engines that I don't use.

Any help appreciated,
Warren

Hello Again,

Well, I checked my computer again today, and after finally being able to get Spybot and Malwarebytes to run, I saw about 8 different viruses from both of them.

Here are the new logs:

Spybot:

--- Report generated: 2011-04-09 15:46 ---

Click.GiftLoad: [SBI $89783858] User settings (Registry value, fixed)
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION\svchost.exe

Fraud.InternetSecurity2011: [SBI $F7DAA6B2] Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command\

Win32.FraudLoad.edt: [SBI $8454102F] Settings (Registry key, fixed)
HKEY_USERS\.DEFAULT\Software\NtWqIVLZEWZU

Win32.FraudLoad.edt: [SBI $8454102F] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-18\Software\NtWqIVLZEWZU

Win32.FraudLoad.edt: [SBI $666C83D9] Data (File, fixed)
C:\Windows\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E

Win32.FraudLoad.edt: [SBI $354F3C2C] Data (File, fixed)
C:\Windows\Tasks\{BBAEAEAF-1275-40e2-BD6C-BC8F88BD114A}.job
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E

Win32.Qhost.aei: [SBI $1158B2AB] Executable (File, fixed)
C:\Windows\Temp\csrss.exe
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E

Malwarebytes:

Malwarebytes' Anti-Malware 1.50.1.1100
Malwarebytes

Database version: 6317

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

4/9/2011 3:45:43 PM
mbam-log-2011-04-09 (15-45-43).txt

Scan type: Quick scan
Objects scanned: 158022
Time elapsed: 10 minute(s), 46 second(s)

Memory Processes Infected: 6
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
c:\Windows\Temp\0.8350004908122783.exe (Backdoor.CycBot.Gen) -> 6096 -> Unloaded process successfully.
c:\Windows\System32\config\systemprofile\AppData\Roaming\dwm.exe (Trojan.Downloader) -> 4952 -> Unloaded process successfully.
c:\Windows\Temp\Cjs.exe (Trojan.Downloader) -> 9360 -> Unloaded process successfully.
c:\Windows\Temp\Cjq.exe (Trojan.Downloader) -> 5736 -> Unloaded process successfully.
c:\Windows\Temp\Cjr.exe (Trojan.Downloader) -> 19660 -> Unloaded process successfully.
c:\Windows\Temp\csrss.exe (Trojan.Agent) -> 4304 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\W5E7SH31DG (Trojan.Downloader) -> Value: W5E7SH31DG -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost (Backdoor.CycBot.Gen) -> Value: conhost -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Value: (default) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Windows\system32\config\systemprofile\AppData\Local\cgb.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Windows\system32\config\systemprofile\AppData\Local\cgb.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Windows\system32\config\systemprofile\AppData\Local\cgb.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\Temp\0.8350004908122783.exe (Backdoor.CycBot.Gen) -> Quarantined and deleted successfully.
c:\Windows\System32\config\systemprofile\AppData\Roaming\dwm.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Windows\Temp\Cjs.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Windows\Temp\Cjq.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Windows\Temp\Cjr.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Windows\System32\config\systemprofile\AppData\Roaming\microsoft\conhost.exe (Backdoor.CycBot.Gen) -> Quarantined and deleted successfully.
c:\Windows\Temp\0.019031425330097607.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\Windows\Temp\csrss.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\Tasks\{22116563-108c-42c0-a7ce-60161b75e508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Windows\Tasks\{bbaeaeaf-1275-40e2-bd6c-bc8f88bd114a}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Windows\Tasks\{810401e2-dde0-454e-b0e2-aa89c9e5967c}.job (Trojan.FraudPack) -> Quarantined and deleted successfully.

I really need help now, I have no clue what my aunt decided to visit, and whatever she downloaded is driving me up a wall.
 
download HJT on another computer and run in with a USB thumb drive or something, just don't put the thumb drive back into your other computer. You should ask what sites your aunt visited, and teach her safe browsing and why she shouldn't click on everything that tells her she won a million dollars. It sounds like she didn't know how to get out of one of those virus sites that tell you there are viruses on your computer.

It looks like malwarebytes got rid of a bunch of things that were causing problems. What are your symptoms now? And you are running all of this in safe mode right?
 
Back
Top Bottom