Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Horse Agent _r.XJ


  • This topic is locked This topic is locked
9 replies to this topic

#1 SacSurge

SacSurge

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 06 January 2011 - 04:15 PM

Windows XP service pack 3

New to the forum and fixing my own PC but times are very tough now and PC is messed up.

Uninstalled AVG and ran cleanup tool and down loaded combofix and ran it in safe mode and it detected Root Kit activity TDL - 3 and always has to reboot and I can't get it to scan. Is there anything I can do to avoid a complete system restore.

AVG ran in safe mode found 6 infections and removed 3 but 3 were inaccessible.

C:\Windows\system32\svchost.exe(1248):\memory_001a0000

C:\Windows\system32\csrss.exe(732):\memory_00270000

C:\Windows\explorer.exe(1720):\memory_001a0000

Thanks in advance and hope I posted enough info..

BC AdBot (Login to Remove)

 


#2 denako

denako

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:IL, USA
  • Local time:09:55 AM

Posted 06 January 2011 - 05:39 PM

Try downloading this, its free ! http://support.kaspersky.com/downloads/utils/tdsskiller.zip

Run the scan, then restart your computer, and it should be gone ! If you have any other problems, please let us know.

Although this may work, I just need to point out, that when a virus/trojan does that much damage to a computer, it won't be working back at its original fast-speed state. The best way to revamp your computer would be to back it up after you fix this, and re-install your OS. But if speed and performance isn't a problem for you and you don't mind the bit of under-performance, then after that scan, your good to go !

Edited by rigel, 06 January 2011 - 09:41 PM.

http://randomforumtitle.com - Unofficial Deadmau5 Forums

#3 Eyesee

Eyesee

    Bleepin Teck Shop


  • BC Advisor
  • 3,447 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:In the middle of Kansas
  • Local time:10:55 AM

Posted 06 January 2011 - 05:49 PM

I would also follow up by downloading, installing, updating and running MalwareBytes AntiMalware. Do the full scan.
It could take some time so go kill some time while it is running.

If you are still having problems let us know and we will get you moved to the malware thread.
In the beginning there was the command line.

#4 denako

denako

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:IL, USA
  • Local time:09:55 AM

Posted 06 January 2011 - 06:00 PM

I would also follow up by downloading, installing, updating and running MalwareBytes AntiMalware. Do the full scan.
It could take some time so go kill some time while it is running.

If you are still having problems let us know and we will get you moved to the malware thread.


I would agree on this, but based on the research i've done, it seems like malwarebytes doesn't find this trojan. It's still worth a shot though. Just because it doesn't work for others doesn't mean that it won't for you. ;)
http://randomforumtitle.com - Unofficial Deadmau5 Forums

#5 SacSurge

SacSurge
  • Topic Starter

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 06 January 2011 - 06:20 PM

Thanks Guys! I will try these things out. Working in safe mode and using Fire Fox and just now another infection just executed so I think this is probably the kiss of death. UGH!

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 61,448 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:55 AM

Posted 06 January 2011 - 09:45 PM

Hello I have moved this from XP to the Am I Infected forum.

This malware is a keylogger which logs keystrokes, Web sites visited, programs used, and file and folder opened or used. It runs without being detected and takes snapshots of the screen. It can be used to monitor locally as well as remotely. We recommend that you should remove this immediately unless you have installed it for a purpose.
A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)

This gives it Backdoor functionality.
This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


If you want to clean then. Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

#7 SacSurge

SacSurge
  • Topic Starter

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 08 January 2011 - 11:07 AM

My machine appears to be working fine, but after reading this I'm very concerned.

All I did was run the Kaspersky removal tool TDSSkiller and then ran Stopzilla and AVG free in safe mode and the infections were no longer detected and my sound returned and my strat baseball game started working properly again. It wasn't running the .wav files but they would run when clicked on directly.

STOPzilla identified these as removed: During infection period and now shows as clean..
Google Redirect - Spyware
Vundo.V - Trojan
6to4v32 - Trojan
Vundo.A7 - Hijacker
EICAR_test_file - Virus
CATCHME - Trojan
GASF - Trojan
System Policies.Disable Registry tools
System Tool 2011

#8 SacSurge

SacSurge
  • Topic Starter

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 08 January 2011 - 01:06 PM

Attempting to run steps 6 - 9 as instructed.

1st attempt to save DeFogger prompted can't save as another user is using. It did save when I clicked NO to cancel. Next problem was when I clicked the icon to run my STOPzilla Spyware program flagged it as Disk Clean Spyware. I exited STOPzilla and saved again but when trying to run it the icon just dissappears and nothing happens. I never get the application window to click the disable button. I'll wait for a response. Thanks so much!

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 61,448 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:55 AM

Posted 08 January 2011 - 08:06 PM

Hello, yes as said the machine can be cleaned. Stopzilla has a lot of issues. It is correct that it wants to stop the app as it looks like its bad yo an AV. So if you want Defogger to run you may have to disable Stopzilla while doing the Prep Guide.

Edited by boopme, 08 January 2011 - 08:07 PM.

How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 61,448 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:55 AM

Posted 09 January 2011 - 12:01 AM

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users