BleepingComputer.com: Trojan horse Agent_r.XJ, Trojan horse Generic22.LOZ

I've been infected with the Trojan horse Agent_r.XJ and Trojan horse Generic22.LOZ viruses. I ran a scan with AVG. There were some viruses that could be removed but this is what was left over in inaccessible objects:

"C:\WINDOWS\system32\svchost.exe (1876):\memory_001a0000";"Trojan horse Agent_r.XJ";"Object is inaccessible."
"C:\WINDOWS\system32\svchost.exe (1876)";"Trojan horse Agent_r.XJ";""
"C:\WINDOWS\explorer.exe (1088):\memory_001a0000";"Trojan horse Agent_r.XJ";"Object is inaccessible."
"C:\WINDOWS\explorer.exe (1088)";"Trojan horse Agent_r.XJ";""
"C:\Program Files\Mozilla Firefox\firefox.exe (4800):\memory_001b0000";"Trojan horse Agent_r.XJ";"Object is inaccessible."
"C:\Program Files\Mozilla Firefox\firefox.exe (4800)";"Trojan horse Agent_r.XJ";""
"C:\Documents and Settings\Connie\Application Data\2DBF29BD99DB6FC99391D58322FEDAD9\arg70techsdk.exe";"Trojan horse Generic22.LOZ";"Moved to Virus Vault"

After the SpyBot search & destry listed below AVG reports this:
"C:\WINDOWS\system32\wuauclt.exe (4472):\memory_001b0000";"Trojan horse Agent_r.XJ";"Object is inaccessible."
"C:\WINDOWS\system32\wuauclt.exe (4472)";"Trojan horse Agent_r.XJ";""
"C:\WINDOWS\system32\svchost.exe (7956):\memory_001a0000";"Trojan horse Agent_r.XJ";"Object is inaccessible."
"C:\WINDOWS\system32\svchost.exe (7956)";"Trojan horse Agent_r.XJ";""
"C:\WINDOWS\explorer.exe (1088):\memory_001a0000";"Trojan horse Agent_r.XJ";"Object is inaccessible."
"C:\WINDOWS\explorer.exe (1088)";"Trojan horse Agent_r.XJ";""
"C:\Program Files\Mozilla Firefox\firefox.exe (5124):\memory_001b0000";"Trojan horse Agent_r.XJ";"Object is inaccessible."
"C:\Program Files\Mozilla Firefox\firefox.exe (5124)";"Trojan horse Agent_r.XJ";""


I'm running Windows XP SP3. At one point I was unable to run Internet Explorer or Firefox. I have re-installed Firefox and it's working. Internet Explorer is working now too.

I read that tdsskiller would get rid of the virus and followed the instructions that I saw: Put it on my desktop and rename it. I did so, and a popup came up titled Initialization. The progress bar went to 80% and stopped. Then the program crashed.

I have SpyBot installed which prompts you for permission to change anything in the registry. I have blocked everything except when I have intentionally installed programs or am expecting some kind of registry change. Over the past few days there have been numerous attempts to change the registry which I have blocked.

I did a scan with SpyBot and would like to post what it found but that makes my post too long to submit.

Thank you for any help you can provide.
QB

Is this the right forum to post my virus problem in or should I post it somewhere else?

Looks like we may have the new TDL variant

Please download Rootkit Unhooker from one of the following links and save it to your desktop.

Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)

In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

• Double-click on RKUnhookerLE.exe to start the program.
  Vista/Windows 7 users right-click and select Run As Administrator.
  
• Click the Report tab, then click Scan.
  
• Check Drivers, Stealth, and uncheck the rest.
  
• Click OK.
  
• Wait until it's finished and then go to File > Save Report.
  
• Save the report to your Desktop.
  
• Copy and paste the contents of the report into your next reply.

-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".

I put RKUnhookerLE.exe on the desktop and tried running it. The computer rebooted. I also tried renaming it and ran it. The computer rebooted again.

Is the antivirus that showed the issues in your 1st post AVG? If so it tends to interfere with several tools.
Download this. Then disable AVG. Disconnect from the internet and run TDSSKiller and RKUnhooker. Hopefully they run now.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.

• Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
  Vista/Windows 7 users right-click and select Run As Administrator.
  
• If TDSSKiller does not run, try renaming it.
  
• To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  
• Click the Start Scan button.
  
• Do not use the computer during the scan
  
• If the scan completes with nothing found, click Close to exit.
  
• If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  
• Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  
• A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  
• Copy and paste the contents of that file in your next reply.

Reenable AV and reconnect.

This post has been edited by boopme: 25 April 2011 - 08:01 PM

boopme, on 25 April 2011 - 08:00 PM, said:

boopme, on 23 April 2011 - 07:40 PM, said:

Yes, I'm using AVG. I turned it off and reran TDSSKiller.exe from the desktop (and tried renaming it as well) and it did the same thing as before. It crashed after 80%. So then I tried running Rootkit Unhooker and that did work. Here is the report:

============ Remover for Backdoor.Generic3.SVX ===============
Date: 26.04.2011 07:14
C:\WINDOWS\ALCMTR.EXE OK
C:\WINDOWS\ALCWZRD.EXE OK
C:\WINDOWS\explorer.exe OK
C:\WINDOWS\hh.exe OK
C:\WINDOWS\IsUninst.exe OK
C:\WINDOWS\izitilar.dll OK
C:\WINDOWS\MicCal.exe OK
C:\WINDOWS\NOTEPAD.EXE OK
C:\WINDOWS\regedit.exe OK
C:\WINDOWS\RTHDCPL.EXE OK
C:\WINDOWS\RtkAudioService.exe OK
C:\WINDOWS\RTLCPL.EXE OK
C:\WINDOWS\RtlExUpd.dll OK
C:\WINDOWS\RtlUpd.exe OK
C:\WINDOWS\SkyTel.exe OK
C:\WINDOWS\SOUNDMAN.EXE OK
C:\WINDOWS\sttray.exe OK
C:\WINDOWS\TASKMAN.EXE OK
C:\WINDOWS\twain_32.dll OK
C:\WINDOWS\twunk_32.exe OK
C:\WINDOWS\uninst.exe OK
C:\WINDOWS\unvise32.exe OK
C:\WINDOWS\vmmreg32.dll OK
C:\WINDOWS\vncutil.exe OK
C:\WINDOWS\winhlp32.exe OK
Work complete


Thanks for your help,
QB

This post has been edited by quarkburger: 26 April 2011 - 09:35 PM

Try TDDS killer once more. If no go........
Then we have to use a LONG scan.. and if that goesn;t clear it we will have to move you.



Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:

• Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  
• Read the anti-virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  
• The Express scan will automatically begin.
  (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  
• If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  
• If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)

• After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  
• In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  
• Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  
• Please be patient as this scan could take a long time to complete.
  
• When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  
• Click Select All, then choose Cure > Move incurable.
  
• In the top menu, click file and choose save report list.
  
• Save the DrWeb.csv report to your desktop.
  
• Exit Dr.Web Cureit when done.
  
• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  
• After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

I will do these steps, but I'm leaving for a trip today. I will be back next week and then I will get back to it.

Thanks for all the help.

QB

boopme, on 26 April 2011 - 09:51 PM, said:

I'm back from my trip and I tried the TDDS killer again. This time it prompted me to download an update, so I did. I ran the updated version of TDDS killer and it found and removed the virus.

Thanks for all the help!
QB

Excellent! remember this malware steals passwords so change all.

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:

• Go to Start > Programs > Accessories > System Tools and click "System Restore".
  
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

• Then use Disk Cleanup to remove all but the most recently created Restore Point.
  
• Go to Start > Run and type: Cleanmgr
  
• Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  
• Click the "More Options" tab, then click the "Clean up" button under System Restore.
  
• Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  
• Click Yes, then click Ok.
  
• Click Yes again when prompted with "Are you sure you want to perform these actions?"
  
• Disk Cleanup will remove the files and close automatically.

Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

Tips to protect yourself against malware and reduce the potential for re-infection:

• Simple and easy ways to keep your computer safe.
  
• How did I get infected?, With steps so it does not happen again!.
  
• Hardening Windows Security - Part 1 & Part 2.
  
• Configuring Internet Explorer for Practical Security and Privacy - How to Secure Your Web Browser.
  
• Your Guide To Staying Safe Online.
  
• Use Task Manager to close pop-up messages to safely exit malware attacks.

• Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

• Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. To learn more about this risk, please read:

• USB-Based Malware Attacks.
  
• When is AUTORUN.INF really an AUTORUN.INF?.
  
• Please disable Autorun asap!.

Sorry, I spoke too soon. Last night and this morning it appeared to be working fine, even after rebooting. Now I can't open firefox or internet explorer. When I try I get an "Open With" window that says to choose the program you want to use to open the file. The recommended application to open Firefox with is Firefox. If I select Firefox and OK then apparently firefox opens firefox. There is a popup that says:

-----------------------------------
Opening firefox.exe
You have chosen to open firefox.exe
which is a: Application
from C:\Program Files\Mozilla Firefox

Would you like to save the file?
-----------------------------------

This is just odd so I click Cancel. Firefox then works however. The same method does not run internet explorer though.

There is no AVG icon in my toolbar anymore. I have an AVG icon on my desktop, but clicking that also brings up an "Open With" popup. If I right-click on the AVG icon, and select 'scan with AVG', then AVG comes up and I can do a full scan. It shows nothing is infected.

Should I follow the steps posted above for Dr.Web CureIt?

Go here to Doug KNox's Windows® XP File Association Fixes
Run 9th down on left... EXE File Association Fix ... the EXE not EML one.