Go Back   Computer Forums > General Computing > Cyber Safety and Computer Security
Join Computer forums Today

Thread Tools Search this Thread Display Modes
Old 04-08-2011, 10:29 PM   #1
In Runtime
Warren's Avatar
Join Date: Jun 2010
Posts: 168
Default Agent_r.XJ Trojan, URGENT!


A day ago, my aunt decided to use my computer for some web surfing, that she said was "safe". Even though I doubted it, since she's my aunt, I was obliged to loan her my nice laptop.

Today when I finally got access to my laptop again, I knew something was really screwed up. My search results kept being redirected to weird sites, some fake AV tool kept blasting me with messages, and Task Manager wouldn't show me processes from all users.

I sort of pride myself on being able to fix computers, so I tried to see if I could fix it myself.

I ran AVG which turned up two viruses, one of which I could delete, and the second which was not able to be deleted.

Here is the log:

"C:\Windows\System32\wuauclt.exe (5152):\memory_00010000";"Trojan horse Agent_r.XJ";"Object is inaccessible."
"C:\Windows\System32\wuauclt.exe (5152)";"Trojan horse Agent_r.XJ";""
"C:\Windows\System32\sysprep\CRYPTBASE.DLL";"Troja n horse Generic21.CPEO";"Infected"
"C:\Windows\explorer.exe (728):\memory_00010000";"Trojan horse Agent_r.XJ";"Object is inaccessible."
"C:\Windows\explorer.exe (728)";"Trojan horse Agent_r.XJ";""
"C:\Program Files\Mozilla Firefox\firefox.exe (6000):\memory_00010000";"Trojan horse Agent_r.XJ";"Object is inaccessible."
"C:\Program Files\Mozilla Firefox\firefox.exe (6000)";"Trojan horse Agent_r.XJ";""

After using AVG, I decided to open up Malwarebytes, and Spybot S&D. Neither of them would open up and returned an error message like this:

"C:\Program Files\Malwarebytes' Anti Malware\mbam.exe

The dependency service or group failed to start."

I tried to reinstall Malwarebytes, but the site was redirected to some virus protector named "STOPZilla", and also blocked the installer.

I then thought about running HJT, but again the site was again redirected to 5 different search engines that I don't use.

Any help appreciated,

Hello Again,

Well, I checked my computer again today, and after finally being able to get Spybot and Malwarebytes to run, I saw about 8 different viruses from both of them.

Here are the new logs:


--- Report generated: 2011-04-09 15:46 ---

Click.GiftLoad: [SBI $89783858] User settings (Registry value, fixed)
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULA TION\svchost.exe

Fraud.InternetSecurity2011: [SBI $F7DAA6B2] Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\ open\command\

Win32.FraudLoad.edt: [SBI $8454102F] Settings (Registry key, fixed)

Win32.FraudLoad.edt: [SBI $8454102F] Settings (Registry key, fixed)

Win32.FraudLoad.edt: [SBI $666C83D9] Data (File, fixed)

Win32.FraudLoad.edt: [SBI $354F3C2C] Data (File, fixed)

Win32.Qhost.aei: [SBI $1158B2AB] Executable (File, fixed)


Malwarebytes' Anti-Malware

Database version: 6317

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

4/9/2011 3:45:43 PM
mbam-log-2011-04-09 (15-45-43).txt

Scan type: Quick scan
Objects scanned: 158022
Time elapsed: 10 minute(s), 46 second(s)

Memory Processes Infected: 6
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
c:\Windows\Temp\0.8350004908122783.exe (Backdoor.CycBot.Gen) -> 6096 -> Unloaded process successfully.
c:\Windows\System32\config\systemprofile\AppData\R oaming\dwm.exe (Trojan.Downloader) -> 4952 -> Unloaded process successfully.
c:\Windows\Temp\Cjs.exe (Trojan.Downloader) -> 9360 -> Unloaded process successfully.
c:\Windows\Temp\Cjq.exe (Trojan.Downloader) -> 5736 -> Unloaded process successfully.
c:\Windows\Temp\Cjr.exe (Trojan.Downloader) -> 19660 -> Unloaded process successfully.
c:\Windows\Temp\csrss.exe (Trojan.Agent) -> 4304 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\Cur rentVersion\Run\W5E7SH31DG (Trojan.Downloader) -> Value: W5E7SH31DG -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\conhost (Backdoor.CycBot.Gen) -> Value: conhost -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default ) (Hijack.ExeFile) -> Value: (default) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInter net\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Windows\system32\config\systemprofile\AppData \Local\cgb.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInter net\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Windows\system32\config\systemprofile\AppData \Local\cgb.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInter net\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Windows\system32\config\systemprofile\AppData \Local\cgb.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\Temp\0.8350004908122783.exe (Backdoor.CycBot.Gen) -> Quarantined and deleted successfully.
c:\Windows\System32\config\systemprofile\AppData\R oaming\dwm.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Windows\Temp\Cjs.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Windows\Temp\Cjq.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Windows\Temp\Cjr.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Windows\System32\config\systemprofile\AppData\R oaming\microsoft\conhost.exe (Backdoor.CycBot.Gen) -> Quarantined and deleted successfully.
c:\Windows\Temp\0.019031425330097607.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\Windows\Temp\csrss.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\Tasks\{22116563-108c-42c0-a7ce-60161b75e508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Windows\Tasks\{bbaeaeaf-1275-40e2-bd6c-bc8f88bd114a}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Windows\Tasks\{810401e2-dde0-454e-b0e2-aa89c9e5967c}.job (Trojan.FraudPack) -> Quarantined and deleted successfully.

I really need help now, I have no clue what my aunt decided to visit, and whatever she downloaded is driving me up a wall.

Warren is offline   Reply With Quote
Old 04-11-2011, 11:58 AM   #2
Baseband Member
Join Date: Jan 2011
Posts: 45
Default Re: Agent_r.XJ Trojan, URGENT!

download HJT on another computer and run in with a USB thumb drive or something, just don't put the thumb drive back into your other computer. You should ask what sites your aunt visited, and teach her safe browsing and why she shouldn't click on everything that tells her she won a million dollars. It sounds like she didn't know how to get out of one of those virus sites that tell you there are viruses on your computer.

It looks like malwarebytes got rid of a bunch of things that were causing problems. What are your symptoms now? And you are running all of this in safe mode right?

Take a look at my Computer & Technology Blog! www.pcjargon.net
Theory5 is offline   Reply With Quote
Old 04-11-2011, 12:17 PM   #3
Fully Optimized
~Darkseeker~'s Avatar
Join Date: Jan 2010
Location: Hertfordshire, United Kingdom
Posts: 2,433
Default Re: Agent_r.XJ Trojan, URGENT!

Do everything that you did again, but in Safe Mode. See if this helps.
EVGA SLI Micro Z68 // Intel i5-2500k // 8GB Corsair Vengeance 1866MHz // Overclocked 2GB MSI R9 270X // Corsair Carbide SPEC-03 // Kingston Hyper-X 120GB // 2TB WD Green + 500GB WD Black
~Darkseeker~ is offline   Reply With Quote

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

All times are GMT -5. The time now is 04:42 PM.

Powered by vBulletin® Version 3.8.8 Beta 4
Copyright ©2000 - 2016, vBulletin Solutions, Inc.
Search Engine Friendly URLs by vBSEO 3.6.0