It is currently Fri Dec 15, 2017 10:39 pm


Please help, can't get rid of Trojan horse Agent_r.XJ

Is your PC infected? Is it running slow? Just can't figure out what's making it sluggish? Here is the place to get some help.

Moderators: liljim, Gecko

Please help, can't get rid of Trojan horse Agent_r.XJ

Postby sallan29 » Thu May 05, 2011 8:38 pm

Hi
My pc started running very slow and we also had problems with searching in firefox. As soon as you click on a website you are taken to another site. Very frustrating.
I have AVG free edition but have also downloaded Malwarebytes, SpyNoMore and CCleaner. They all find different things and I sometimes get clean results but as soon as I try searching for something I'm back to getting transferred to other sites like YouTube, Ebay etc.
I have enclose AVG scan result, cannot seem to get rid of the trojan's. Any help would be greatly appreciated.

Scan "Scheduled scan" completed.
Infections;"8";"4";"4"
Warnings;"31";"31";"0"
Folders selected for scanning:;"Whole computer scan"
Scan started:;"03 May 2011, 20:00:02"
Scan finished:;"03 May 2011, 21:01:18 (1 hour(s) 1 minute(s) 15 second(s))"
Total object scanned:;"921300"
User who launched the scan:;"SYSTEM"

Infections
;"File";"Infection";"Result"
;"C:\WINDOWS\system32\svchost.exe (1236)";"Trojan horse Agent_r.XJ";"Deleted"
;"C:\WINDOWS\system32\csrss.exe (760)";"Trojan horse Agent_r.XJ";"Deleted"
;"C:\WINDOWS\explorer.exe (448)";"Trojan horse Agent_r.XJ";"Deleted"
;"C:\Program Files\Mozilla Firefox\firefox.exe (3988)";"Trojan horse Agent_r.XJ";"Deleted"
;"C:\WINDOWS\system32\svchost.exe (1236):\memory_001a0000";"Trojan horse Agent_r.XJ";"Infected"
;"C:\WINDOWS\system32\csrss.exe (760):\memory_00270000";"Trojan horse Agent_r.XJ";"Infected"
;"C:\WINDOWS\explorer.exe (448):\memory_001a0000";"Trojan horse Agent_r.XJ";"Infected"
;"C:\Program Files\Mozilla Firefox\firefox.exe (3988):\memory_001a0000";"Trojan horse Agent_r.XJ";"Infected"

Warnings
;"File";"Infection";"Result"
;"C:\Documents and Settings\user\Cookies\user@atdmt[1].txt:\atdmt.com.9e6d7fd3";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
;"C:\Documents and Settings\user\Cookies\user@atdmt[1].txt:\atdmt.com.74c5668";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
;"C:\Documents and Settings\user\Cookies\user@atdmt[1].txt:\atdmt.com.7247c262";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
;"C:\Documents and Settings\user\Cookies\user@atdmt[1].txt";"Found Tracking cookie.Atdmt";"Healed"
;"C:\Documents and Settings\NetworkService\Cookies\system@tribalfusion[2].txt:\tribalfusion.com.dcc03271";"Found Tracking cookie.Tribalfusion";"Moved to Virus Vault"
;"C:\Documents and Settings\NetworkService\Cookies\system@tribalfusion[2].txt";"Found Tracking cookie.Tribalfusion";"Healed"
;"C:\Documents and Settings\NetworkService\Cookies\system@serving-sys[1].txt:\serving-sys.com.db46cecc";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
;"C:\Documents and Settings\NetworkService\Cookies\system@serving-sys[1].txt:\serving-sys.com.bb39fa8c";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
;"C:\Documents and Settings\NetworkService\Cookies\system@serving-sys[1].txt:\serving-sys.com.3c465e6e";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
;"C:\Documents and Settings\NetworkService\Cookies\system@serving-sys[1].txt:\serving-sys.com.176b0dad";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
;"C:\Documents and Settings\NetworkService\Cookies\system@serving-sys[1].txt";"Found Tracking cookie.Serving-sys";"Healed"
;"C:\Documents and Settings\NetworkService\Cookies\system@bs.serving-sys[2].txt:\bs.serving-sys.com.5bf1f00f";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
;"C:\Documents and Settings\NetworkService\Cookies\system@bs.serving-sys[2].txt";"Found Tracking cookie.Serving-sys";"Healed"
;"C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[2].txt:\ad.yieldmanager.com.ff92306";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
;"C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[2].txt:\ad.yieldmanager.com.e626e6be";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
;"C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[2].txt:\ad.yieldmanager.com.b68f2b7b";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
;"C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[2].txt:\ad.yieldmanager.com.8a47878";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
;"C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[2].txt:\ad.yieldmanager.com.87a9ab5d";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
;"C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[2].txt:\ad.yieldmanager.com.830b6f08";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
;"C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[2].txt:\ad.yieldmanager.com.539b0606";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
;"C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[2].txt";"Found Tracking cookie.Yieldmanager";"Healed"
;"C:\Documents and Settings\LocalService\Cookies\system@revsci[1].txt:\revsci.net.d494ec35";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
;"C:\Documents and Settings\LocalService\Cookies\system@revsci[1].txt:\revsci.net.4e7641ba";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
;"C:\Documents and Settings\LocalService\Cookies\system@revsci[1].txt:\revsci.net.44927ec";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
;"C:\Documents and Settings\LocalService\Cookies\system@revsci[1].txt:\revsci.net.2df99d79";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
;"C:\Documents and Settings\LocalService\Cookies\system@revsci[1].txt:\revsci.net.18a1d1b2";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
;"C:\Documents and Settings\LocalService\Cookies\system@revsci[1].txt";"Found Tracking cookie.Revsci";"Healed"
;"C:\Documents and Settings\LocalService\Cookies\system@ad.yieldmanager[1].txt:\ad.yieldmanager.com.e626e6be";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
;"C:\Documents and Settings\LocalService\Cookies\system@ad.yieldmanager[1].txt:\ad.yieldmanager.com.557bf2b0";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
;"C:\Documents and Settings\LocalService\Cookies\system@ad.yieldmanager[1].txt:\ad.yieldmanager.com.539b0606";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
;"C:\Documents and Settings\LocalService\Cookies\system@ad.yieldmanager[1].txt";"Found Tracking cookie.Yieldmanager";"Healed"
User avatar
sallan29
Geek in Training
Geek in Training
 
Posts: 17
Joined: Thu Jan 30, 2003 1:00 am
Location: United Kingdom

Thanks given:3
Thanks received:0
Top

Re: Please help, can't get rid of Trojan horse Agent_r.XJ

Postby Gecko » Fri May 06, 2011 12:30 am

sallan29,

Please download combofix to your desktop.

Double click combofix.exe and follow the prompts.

If you are using AVG you might need to uninstall AVG to get Combofix to run.

If combofix will not start or is ended before the "Blue window" please rename combofix.exe to cbf.exe and try again.

If cbf.exe will not start or is ended, you will have to run cbf.exe from safe mode.
Reboot in to Safe mode:
Restart Windows after you see the BIOS screen and before Windows starts to load.
Start tapping the F8 key. The Windows Advanced Options Menu appears.
Use the Arrow key to ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.

Do not exit Combofix while it is running you my loose all your personal settings!
Important Note - Do not mouseclick combofix's window while it's running, that may cause it to stall.

When it's done running it will produce a log for you. Please post that log in your next reply.

Who said thanks: sallan29 (Fri May 06, 2011 11:27 am)
User avatar
Gecko
Super Moderator
Super Moderator
 
Posts: 5207
Joined: Thu Oct 25, 2001 1:00 am
Location: Florida, USA

Thanks given:1
Thanks received:23
Top

Re: Please help, can't get rid of Trojan horse Agent_r.XJ

Postby sallan29 » Fri May 06, 2011 11:32 am

I clicked on combofix and saved the file, once in download folder I double clicked on the icon to run the program but keep getting the same message saying;
You appear to have a corrupt download. Please download a fresh copy of ComboFix.exe
You can close combofix by clicking on the right corner of the progress bar.

Have tried downloading a few times with the same results, also uninstalled AVG
User avatar
sallan29
Geek in Training
Geek in Training
 
Posts: 17
Joined: Thu Jan 30, 2003 1:00 am
Location: United Kingdom

Thanks given:3
Thanks received:0
Top

Re: Please help, can't get rid of Trojan horse Agent_r.XJ

Postby Gecko » Fri May 06, 2011 12:04 pm

sallan29,

Try the below link to download combofix from another location ;
http://www.combofix.org/downloadlink.php

Who said thanks: sallan29 (Fri May 06, 2011 12:20 pm)
User avatar
Gecko
Super Moderator
Super Moderator
 
Posts: 5207
Joined: Thu Oct 25, 2001 1:00 am
Location: Florida, USA

Thanks given:1
Thanks received:23
Top

Re: Please help, can't get rid of Trojan horse Agent_r.XJ

Postby sallan29 » Fri May 06, 2011 12:04 pm

After a lot of attempts to access the combofix website (keep getting redirected to a variety of other sites) I followed the instructions for download with the same results.
User avatar
sallan29
Geek in Training
Geek in Training
 
Posts: 17
Joined: Thu Jan 30, 2003 1:00 am
Location: United Kingdom

Thanks given:3
Thanks received:0
Top

Re: Please help, can't get rid of Trojan horse Agent_r.XJ

Postby sallan29 » Fri May 06, 2011 12:05 pm

Same result from your link too!
User avatar
sallan29
Geek in Training
Geek in Training
 
Posts: 17
Joined: Thu Jan 30, 2003 1:00 am
Location: United Kingdom

Thanks given:3
Thanks received:0
Top

Re: Please help, can't get rid of Trojan horse Agent_r.XJ

Postby PCguy » Sat May 07, 2011 8:46 am

I have downloaded the latest version and uploaded it to this site. See if you can download it from us.

downloads/ComboFix.exe
(\__/) This is Bunny.
(='.'=) Copy and paste bunny into your sig.
(")_(") Help Bunny gain World Domination.

Image
User avatar
PCguy
Lord of the Geeks
Lord of the Geeks
 
Posts: 2017
Joined: Sat Sep 15, 2001 1:00 am
Location: A Very Scarey Place
Operating System: Windows 7 Professional x64

Thanks given:2
Thanks received:4
Top

Re: Please help, can't get rid of Trojan horse Agent_r.XJ

Postby sallan29 » Sat May 07, 2011 10:34 am

Managed to download this link, it did detect an AVG scanner running even though I uninstalled through add and remove programs. It did continue and found something in the root and needed a restart, continued to scan and Completed Stage -50
Preparing Log Report, this took quite a while to do log at C:/combofix.txt
Exception box pops up 'generic host process for win32' do i want to send error report to windows didn't have time to note the rest of the details before a dark blue screen pops up with a warning saying 'A problem has been detected and windows has shut down to prevent damage to your computer BAD_POOL_HEADER
If this is the first time you've seen this error, restart pc if screen appears again follow these steps:
CHeck to make sure any new hardware or software is installed properly, if problem continues, disable bios memory options such as caching or shadowing. If you need to use safe mode etc,etc.
Technical information:
***STOP: 0x00000019 (0x00000020,0x08578FB80,0x8578FF98,0x1A830001)
Beginning to dump physical memory
Physical memory dump complete
Contact your system administrator or technical support for further assistance.
Restarted pc as normal but got the desktop screen with no icons did ctrl alt and delete, windows task manager show 17 processes running think normally about 40
restarted again in safe mode, clicked on my computer to look for the log but timer symbol comes up but nothing happening, can't access my docs, my pics, my music though can get on the Internet just not on the pages I want, getting transferred to other sites worse than ever.
Please help!
Any help as to what I should try now, would be appreciated.
User avatar
sallan29
Geek in Training
Geek in Training
 
Posts: 17
Joined: Thu Jan 30, 2003 1:00 am
Location: United Kingdom

Thanks given:3
Thanks received:0
Top

Re: Please help, can't get rid of Trojan horse Agent_r.XJ

Postby Gecko » Sat May 07, 2011 10:49 am

sallan29,

I need to see the combofix log.

If you can not access the combofix log then try running combofix again.
User avatar
Gecko
Super Moderator
Super Moderator
 
Posts: 5207
Joined: Thu Oct 25, 2001 1:00 am
Location: Florida, USA

Thanks given:1
Thanks received:23
Top

Re: Please help, can't get rid of Trojan horse Agent_r.XJ

Postby sallan29 » Sat May 07, 2011 11:08 am

ComboFix 11-05-06.04 - user 07/05/2011 9:41:33.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1022.697 [GMT 1:00]
Running from: C:\Documents and Settings\user\My Documents\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point


((((((((((((((((((((((((( Files Created from 2011-04-07 to 2011-05-07 )))))))))))))))))))))))))))))))


2011-05-07 08:29:38 . 2011-05-07 08:30:30 -------- d-----w- C:\32788R22FWJFW
2011-05-02 12:32:55 . 2011-05-02 12:32:58 -------- d-----w- C:\Program Files\CCleaner
2011-05-02 12:19:54 . 2010-12-20 17:09:00 38224 ----a-w- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2011-05-02 12:19:50 . 2010-12-20 17:08:40 20952 ----a-w- C:\WINDOWS\system32\drivers\mbam.sys
2011-05-02 12:13:28 . 2011-05-02 12:13:28 1152 ----a-w- C:\WINDOWS\system32\windrv.sys
2011-05-02 12:13:12 . 2011-05-06 02:45:51 -------- d-----w- C:\Program Files\SpyNoMore
2011-05-02 12:12:31 . 2011-05-02 12:13:13 -------- d-----w- C:\Documents and Settings\user\Application Data\GetRightToGo
2011-05-02 09:23:02 . 2011-05-02 09:23:02 -------- d-----w- C:\Documents and Settings\user\Application Data\DriverCure
2011-05-02 09:23:01 . 2011-05-02 09:23:01 -------- d-----w- C:\Documents and Settings\user\Application Data\SpeedMaxPc
2011-05-02 09:22:41 . 2011-05-02 11:17:35 -------- d-----w- C:\Documents and Settings\All Users\Application Data\SpeedMaxPc
2011-05-01 15:29:54 . 2011-05-05 19:41:57 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2011-05-01 15:29:54 . 2011-05-01 15:33:44 -------- d-----w- C:\Program Files\Spybot - Search & Destroy
2011-05-01 15:25:33 . 2011-05-01 16:32:10 -------- d-----w- C:\Program Files\Common Files\PC Tools
2011-04-27 19:47:25 . 2011-04-27 19:47:25 -------- d-----w- C:\Documents and Settings\user\Local Settings\Application Data\Threat Expert
2011-04-25 08:10:12 . 2011-05-01 16:32:10 -------- d-----w- C:\Program Files\PC Tools Security
2011-04-25 08:10:11 . 2011-05-02 11:19:15 -------- d---a-w- C:\Documents and Settings\All Users\Application Data\TEMP
2011-04-25 08:08:41 . 2011-05-01 16:27:54 -------- d-----w- C:\Documents and Settings\All Users\Application Data\PC Tools
2011-04-24 12:14:34 . 2011-04-24 12:14:34 -------- d-----w- C:\Documents and Settings\user\Application Data\Malwarebytes
2011-04-24 10:22:10 . 2011-04-24 10:22:10 -------- d-----w- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2011-04-24 10:22:03 . 2011-04-24 10:22:03 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2011-04-24 10:21:59 . 2011-05-02 12:19:54 -------- d-----w- C:\Program Files\Malwarebytes' Anti-Malware
2011-04-24 10:09:06 . 2011-04-24 10:09:09 -------- d-----w- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2011-04-24 10:09:06 . 2011-04-24 10:09:06 -------- d-----w- C:\Documents and Settings\Administrator\Local Settings\Application Data\Apple Computer
2011-04-24 10:08:55 . 2011-04-24 10:08:55 -------- d-----w- C:\Documents and Settings\Administrator\Local Settings\Application Data\AVG Security Toolbar
2011-04-24 10:07:30 . 2011-04-24 10:07:30 -------- d-----w- C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla
2011-04-22 18:50:24 . 2011-04-22 18:50:24 -------- d-s---w- C:\Documents and Settings\NetworkService\UserData
2011-04-21 19:33:10 . 2011-04-22 18:36:37 -------- d-----w- C:\Program Files\qaoiypeq
2011-04-20 18:13:40 . 2011-04-20 18:13:40 -------- d-s---w- C:\Documents and Settings\LocalService\UserData
.


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2011-03-07 05:33:50 . 2009-10-01 15:05:32 692736 ----a-w- C:\WINDOWS\system32\inetcomm.dll
2011-03-04 06:45:07 . 2004-08-04 10:00:00 434176 ----a-w- C:\WINDOWS\system32\vbscript.dll
2011-03-03 13:21:11 . 2004-08-04 10:00:00 1857920 ----a-w- C:\WINDOWS\system32\win32k.sys
2011-02-18 16:36:58 . 2009-10-03 17:23:37 41984 ----a-w- C:\WINDOWS\system32\drivers\usbaapl.sys
2011-02-18 16:36:58 . 2009-10-03 17:23:37 4184352 ----a-w- C:\WINDOWS\system32\usbaaplrc.dll
2011-02-17 13:51:57 . 2006-03-04 03:33:46 667136 ----a-w- C:\WINDOWS\system32\wininet.dll
2011-02-17 13:51:57 . 2004-08-04 10:00:00 81920 ----a-w- C:\WINDOWS\system32\ieencode.dll
2011-02-17 13:51:57 . 2004-08-04 10:00:00 61952 ----a-w- C:\WINDOWS\system32\tdc.ocx
2011-02-17 13:18:24 . 2004-08-04 10:00:00 455936 ----a-w- C:\WINDOWS\system32\drivers\mrxsmb.sys
2011-02-17 13:18:03 . 2004-08-04 10:00:00 357888 ----a-w- C:\WINDOWS\system32\drivers\srv.sys
2011-02-17 12:37:38 . 2004-08-04 10:00:00 369664 ----a-w- C:\WINDOWS\system32\html.iec
2011-02-17 12:32:12 . 2009-10-03 22:16:24 5120 ----a-w- C:\WINDOWS\system32\xpsp4res.dll
2011-02-15 12:56:39 . 2004-08-04 10:00:00 290432 ----a-w- C:\WINDOWS\system32\atmfd.dll
2011-02-09 13:53:52 . 2004-08-04 10:00:00 270848 ----a-w- C:\WINDOWS\system32\sbe.dll
2011-02-09 13:53:52 . 2004-08-04 10:00:00 186880 ----a-w- C:\WINDOWS\system32\encdec.dll
2011-02-08 13:33:55 . 2004-08-04 10:00:00 978944 ----a-w- C:\WINDOWS\system32\mfc42.dll
2011-02-08 13:33:55 . 2004-08-04 10:00:00 974848 ----a-w- C:\WINDOWS\system32\mfc42u.dll
2010-01-01 08:00:00 . 2011-04-24 08:48:19 135168 ----a-w- C:\Program Files\mozilla firefox\components\browsercomps.dll


((((((((((((((((((((((((((((( SnapShot@2011-05-02_11.03.22 )))))))))))))))))))))))))))))))))))))))))

+ 2011-05-07 08:40:09 . 2011-05-07 08:40:09 16384 C:\WINDOWS\Temp\Perflib_Perfdata_288.dat
- 2009-10-01 15:13:01 . 2011-05-02 09:48:26 32768 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-10-01 15:13:01 . 2011-05-02 11:12:57 32768 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-10-01 15:13:01 . 2011-05-02 11:12:57 32768 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-10-01 15:13:01 . 2011-05-02 09:48:26 32768 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-10-01 15:13:01 . 2011-05-02 09:48:26 16384 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2009-10-01 15:13:01 . 2011-05-02 11:12:57 16384 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2011-04-14 14:46:38 . 2011-04-14 14:46:38 3854848 C:\WINDOWS\Installer\3ca6f.msp
+ 2011-05-02 11:44:31 . 2011-05-02 11:44:31 3446272 C:\WINDOWS\Installer\3ca6c.msi
+ 2011-05-02 11:42:22 . 2011-05-02 11:42:23 1611776 C:\WINDOWS\Installer\3ca68.msi
+ 2011-03-13 01:02:01 . 2011-03-13 01:02:01 15139328 C:\WINDOWS\Installer\3ca6e.msp
+ 2011-01-31 10:45:10 . 2011-01-31 10:45:10 11135488 C:\WINDOWS\Installer\3ca6d.msp

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 21:12:38 3872080]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 15:07:20 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 16:20:44 339968]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50:42 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2009-10-16 22:42:41 149280]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-14 17:17:16 47904]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 04:47:04 35760]
"Adobe ARM"="C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 23:07:44 932288]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2011-03-07 15:33:40 421160]
"SNM"="C:\Program Files\SpyNoMore\SNM.exe" [2010-07-12 20:40:08 1067984]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 04:42:18 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Spotify\\spotify.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

R2 COSIDS_TB;COSIDS_TB;C:\PROGRA~1\COSIDS\BIN\TbMux32.exe [04/02/2010 13:02:38 165376]
R2 FsUsbExService;FsUsbExService;C:\WINDOWS\system32\FsUsbExService.Exe [08/04/2010 17:19:56 233472]
R3 FsUsbExDisk;FsUsbExDisk;C:\WINDOWS\system32\FsUsbExDisk.Sys [08/04/2010 17:19:56 36608]
S2 gupdate;Google Update Service (gupdate);C:\Program Files\Google\Update\GoogleUpdate.exe [30/03/2011 19:58:23 136176]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - WUAUSERV

Contents of the 'Scheduled Tasks' folder

2011-03-30 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34:12 . 2008-07-30 11:34:12]

2011-05-07 C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
- C:\Program Files\Google\Update\GoogleUpdate.exe [2011-03-30 18:58:23 . 2011-03-30 18:58:17]

2011-05-06 C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
- C:\Program Files\Google\Update\GoogleUpdate.exe [2011-03-30 18:58:23 . 2011-03-30 18:58:17]

2011-05-01 C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-299502267-682003330-1004Core.job
- C:\Documents and Settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-03 18:03:05 . 2009-10-03 18:03:03]

2011-05-06 C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-299502267-682003330-1004UA.job
- C:\Documents and Settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-03 18:03:05 . 2009-10-03 18:03:03]


------- Supplementary Scan -------

uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\5ryolv8x.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://uk.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?ourma ... e=61465&p=
FF - user.js: yahoo.homepage.dontask - true

- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
User avatar
sallan29
Geek in Training
Geek in Training
 
Posts: 17
Joined: Thu Jan 30, 2003 1:00 am
Location: United Kingdom

Thanks given:3
Thanks received:0
Top

Re: Please help, can't get rid of Trojan horse Agent_r.XJ

Postby sallan29 » Sun May 08, 2011 8:45 am

Uninstalled AVG to do the scan log but now seem to be bombed with XP Home Security 2011 - UnRegistered Version, it keeps popping up on the pc when i switch it on and seems to find loads of infections then want me to pay to remove them. If I do nothing they still keep popping over the top of everything, driving me nuts. New pages on the internet keep opening by themselves, when I am typing this, do you have any sugestions on what is the best type of protection to download? Did the log show anything unusual or should I try and run it again?
User avatar
sallan29
Geek in Training
Geek in Training
 
Posts: 17
Joined: Thu Jan 30, 2003 1:00 am
Location: United Kingdom

Thanks given:3
Thanks received:0
Top

Re: Please help, can't get rid of Trojan horse Agent_r.XJ

Postby Gecko » Sun May 08, 2011 12:12 pm

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.
File::
C:\WINDOWS\system32\windrv.sys
Folder::
C:\Documents and Settings\All Users\Application Data\TEMP
C:\Program Files\qaoiypeq
Registry::

Now drag then drop the CFScript file onto ComboFix.exe
Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
User avatar
Gecko
Super Moderator
Super Moderator
 
Posts: 5207
Joined: Thu Oct 25, 2001 1:00 am
Location: Florida, USA

Thanks given:1
Thanks received:23
Top

Re: Please help, can't get rid of Trojan horse Agent_r.XJ

Postby sallan29 » Sun May 08, 2011 8:20 pm

Tried this twice got auto scan stage 1-50 okay, deleting files then the dark blue screen pops up with a warning saying 'A problem has been detected and windows has shut down to prevent damage to your computer BAD_POOL_CALLER
If this is the first time you've seen this error etc, etc.
Tried again in Safe Mode, managed to get the log. You also asked for a HijackThis log, where do I get this??


ComboFix 11-05-07.03 - user 08/05/2011 20:01:07.7.2 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1022.817 [GMT 1:00]
Running from: c:\documents and settings\user\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\user\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
FILE ::
"c:\windows\system32\windrv.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\DFC5A2B2.TMP
C:\Microsoft
c:\program files\qaoiypeq
c:\windows\system32\windrv.sys
.
.
((((((((((((((((((((((((( Files Created from 2011-04-08 to 2011-05-08 )))))))))))))))))))))))))))))))
.
.
2011-05-08 18:55 . 2011-05-08 18:56 -------- d-----w- C:\32788R22FWJFW
2011-05-02 12:32 . 2011-05-02 12:32 -------- d-----w- c:\program files\CCleaner
2011-05-02 12:19 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-02 12:19 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-02 12:12 . 2011-05-02 12:13 -------- d-----w- c:\documents and settings\user\Application Data\GetRightToGo
2011-05-02 09:23 . 2011-05-02 09:23 -------- d-----w- c:\documents and settings\user\Application Data\DriverCure
2011-05-02 09:23 . 2011-05-02 09:23 -------- d-----w- c:\documents and settings\user\Application Data\SpeedMaxPc
2011-05-02 09:22 . 2011-05-02 11:17 -------- d-----w- c:\documents and settings\All Users\Application Data\SpeedMaxPc
2011-05-01 15:29 . 2011-05-08 08:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-05-01 15:29 . 2011-05-01 15:33 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-05-01 15:25 . 2011-05-01 16:32 -------- d-----w- c:\program files\Common Files\PC Tools
2011-04-27 19:47 . 2011-04-27 19:47 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Threat Expert
2011-04-25 08:10 . 2011-05-01 16:32 -------- d-----w- c:\program files\PC Tools Security
2011-04-25 08:08 . 2011-05-01 16:27 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2011-04-24 12:14 . 2011-04-24 12:14 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
2011-04-24 10:22 . 2011-04-24 10:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-04-24 10:22 . 2011-04-24 10:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-24 10:21 . 2011-05-02 12:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-24 10:09 . 2011-04-24 10:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2011-04-24 10:09 . 2011-04-24 10:09 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer
2011-04-24 10:08 . 2011-04-24 10:08 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AVG Security Toolbar
2011-04-24 10:07 . 2011-04-24 10:07 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2011-04-22 18:50 . 2011-04-22 18:50 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2011-04-20 18:13 . 2011-04-20 18:13 -------- d-s---w- c:\documents and settings\LocalService\UserData
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-07 05:33 . 2009-10-01 15:05 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45 . 2004-08-04 10:00 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-04 10:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-18 16:36 . 2009-10-03 17:23 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-18 16:36 . 2009-10-03 17:23 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-17 13:51 . 2006-03-04 03:33 667136 ----a-w- c:\windows\system32\wininet.dll
2011-02-17 13:51 . 2004-08-04 10:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2011-02-17 13:51 . 2004-08-04 10:00 61952 ----a-w- c:\windows\system32\tdc.ocx
2011-02-17 13:18 . 2004-08-04 10:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2004-08-04 10:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:37 . 2004-08-04 10:00 369664 ----a-w- c:\windows\system32\html.iec
2011-02-17 12:32 . 2009-10-03 22:16 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2004-08-04 10:00 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53 . 2004-08-04 10:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 10:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2004-08-04 10:00 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2004-08-04 10:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-01-01 08:00 . 2011-04-24 08:48 135168 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-05-02_11.03.22 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-01 15:13 . 2011-05-02 11:12 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-10-01 15:13 . 2011-05-02 09:48 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-10-01 15:13 . 2011-05-02 09:48 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-10-01 15:13 . 2011-05-02 11:12 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-10-01 15:13 . 2011-05-02 11:12 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-10-01 15:13 . 2011-05-02 09:48 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2011-05-07 17:40 . 2011-05-08 09:10 191664 c:\windows\system32\config\systemprofile\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
+ 2011-04-14 14:46 . 2011-04-14 14:46 3854848 c:\windows\Installer\3ca6f.msp
+ 2011-05-02 11:44 . 2011-05-02 11:44 3446272 c:\windows\Installer\3ca6c.msi
+ 2011-05-02 11:42 . 2011-05-02 11:42 1611776 c:\windows\Installer\3ca68.msi
+ 2011-03-13 01:02 . 2011-03-13 01:02 15139328 c:\windows\Installer\3ca6e.msp
+ 2011-01-31 10:45 . 2011-01-31 10:45 11135488 c:\windows\Installer\3ca6d.msp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-16 149280]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-14 47904]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
.
S2 COSIDS_TB;COSIDS_TB;c:\progra~1\COSIDS\BIN\TbMux32.exe [04/02/2010 13:02 165376]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [08/04/2010 17:19 233472]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [30/03/2011 19:58 136176]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [08/04/2010 17:19 36608]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
2011-05-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-30 18:58]
.
2011-05-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-30 18:58]
.
2011-05-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-299502267-682003330-1004Core.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-03 18:03]
.
2011-05-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-299502267-682003330-1004UA.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-03 18:03]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\5ryolv8x.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://uk.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?ourma ... e=61465&p=
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-SNM - c:\program files\SpyNoMore\SNM.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-08 20:08
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Maxtor_7L250S0 rev.BANC1G10 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8670E57B
user & kernel MBR OK
.
**************************************************************************
.
Completion time: 2011-05-08 20:11:18
ComboFix-quarantined-files.txt 2011-05-08 19:11
.
Pre-Run: 200,133,513,216 bytes free
Post-Run: 200,155,951,104 bytes free
.
- - End Of File - - D74D1DBB1574A3F9F501C98FD5FA7E2C
User avatar
sallan29
Geek in Training
Geek in Training
 
Posts: 17
Joined: Thu Jan 30, 2003 1:00 am
Location: United Kingdom

Thanks given:3
Thanks received:0
Top

Re: Please help, can't get rid of Trojan horse Agent_r.XJ

Postby Gecko » Mon May 09, 2011 2:36 am

sallan29,

Sorry about the Hijackthis reference, it's part of a "canned reply" that I overlooked.

You combofix log looks clean, so how is it running now?

Let's see if we can get the details of the BAD_POOL error.
Go to Start > Control panel > Administrative tools > Event viewer > look in the system section.

You are looking for any red or yellow icons, double click on the icon.
Click inside the 'Description' section then highlight the text and copy and paste it into notepad.
At the bottom of the event window check 'words' and then copy and paste that text also
Then past it all into your reply to this thread.

If you don't show any errors in the event viewer then:
Go to Start > Control Panel > System > Advanced tab > Startup and Recovery section
Settings button > System Failure section > check the box 'Write an event to the system log'

Who said thanks: sallan29 (Mon May 09, 2011 10:42 pm)
User avatar
Gecko
Super Moderator
Super Moderator
 
Posts: 5207
Joined: Thu Oct 25, 2001 1:00 am
Location: Florida, USA

Thanks given:1
Thanks received:23
Top

Re: Please help, can't get rid of Trojan horse Agent_r.XJ

Postby sallan29 » Mon May 09, 2011 10:37 pm

PC still not working great, following info as requested.
I really appreciate you time and assistance.

System 2,533 event(s) 113 Yellow warnings 351 Red Errors

Many of the following messages are repeated multiple times, I have had to
copy them manually as the copy/paste facility wouldn't work.
The messages date back to 20/04/11. Let me know if you need more info
as I have probably missed some.



The SentinelSuperProNet Server service terminated unepectedly. It has done this 1 time(s).
For more information, see Help and Support Centre at
http://go.microsoft.com/fwlink/events.asp


The Sentinel service failed to start due to the following error:
The system cannot find the device specified.
For more information, see Help and Support Centre at
http://go.microsoft.com/fwlink/events.asp

The description for Event ID ( 19 ) in Source ( Sentinel ) cannot be found.
The local computer may not have the necessary registry information or
message DLL files to display messages from a remote computer. You may
be able to use the /AUXSOURCE=flag to retrieve this description; see
Help and Support for details. The following information is part of the event;
0000: 00130000 006a0001 00000000 80070013
0010: 00000b32 00000000 00000000 00000000
0020: 00000000 00000000 4953544e 443a494c
0030: 65766972 746e4572 007972

TCP/IP has reached the security limit imposed on the number of
concurrent TCP connect attempts.
For more information, see Help and Support Centre at
http://go.microsoft.com/fwlink/events.asp
0000: 00000000 00540001 00000000 80001082
0010: 00000001 00000000 00000000 00000000
0020: 00000000 00000000

The following Error message is displayed 100 times on the 8th & 9th May
Source; Service Control Manager, Event; 7023

The Application Management service terminated with the following error:
The specified module could not be found.


DCOM got error "This service cannot be started in Safe Mode" attempting
to start the service EventSystem with arguments""in order to run the
server:
{1BE1F766-55-5536-11D1-B726-00C04FB926AF}


The following boot-start or system-start driver(s) failed to load:
Fips
intelppm


DCOM got error "This service cannot be started in Safe Mode" attempting
to start the service StiSvc with arguments""in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}


DCOM got error "This service cannot be started in Safe Mode" attempting
to start the service netman with arguments""in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}


The TIS 2000 Apache Web Server service terminated unexpectedly. It
has done this 1 time(s).

An lo Request to the device\Device\Harddisk0\DR0 did not complete or
canceled within the specific timeout. This can occur if the device driver
does not set a cancel routine for a given 10 request packet.
0000: 00000000 00520001 00000000 80040036
0010: 00000000 00000000 00000000 00000000
0020: 00000000 00000000

Unable to Connect: Windows is unable to connect to the automatic
updates service and therefore cannot download and install updates
according to the set schedule. Windows will continue to try to establish a
connection.
0000: 336e6957 65524832 746c7573 3078303d
0010: 30303030 20303030 61647055 44496574
0020: 30307b3d 30303030 302d3030 2d303030
0030: 30303030 3030302d 30302d30 30303030
0040: 30303030 207d3030 69766552 6e6f6973
0050: 626d754e 303d7265 0020

The server {8BC3F05E-D86B-11D0-A075-00C04FB68820} did not register
with DCOM within the required timeout.

Above message repeated 3 times

Remote Access Connection Manager failed to start because it could not
create buffers. Restart the computer. Access is denied.
0000: 00000005

Timeout (30000 milliseconds) waiting for a transaction response from the
stisvc service.

The time provider NtpClient is configured to aquire time from one or more
time sources, however none of the sources are currently accessible. No
attempt to conect a source will be made for 15 minutes. NtpClient has no
source of accurate time.

Time Provider NtpClient: An error occured during DNS lookup of the
manually configured peer 'time.windows.com,0x1' NtpClient will try the
DNS lookup again in 15 minutes. The error was: A socket operation was
attempted to an unreachable host (0x80072751)




Your computer has lost the lease to its IP address 192.168.0.4 on the
Network Card with network address 00123FA53EB7.

Your computer was not able to renew its address for the network (from
the DHCP Server) for the Network Card with network address
00123FA53EB7. The following error occured:
The semaphore timeout period expired. Your computer will continue
to try and obtain an address on its own from the network address (DHCP)
server.
0000: 00000079
Above message repeated again;
0000: 000004c7
TCP/IP has reached the security limit imposed on the number of
concurrent TCP connect attempts.
0000: 00000000 00540001 00000000 80001082
0010: 00000001 00000000 00000000 00000000
0020: 00000000 00000000

Error code 00000019, parameter1 00000020, parameter2 857e66d8,
parameter3 857e6af0, parameter4 1a83007c.
0000: 74737953 45206d65 726f7272 72452020
0010: 20726f72 65646f63 30303020 31303030
0020: 50202039 6d617261 72657465 30302073
0030: 30303030 202c3032 65373538 38643636
0040: 3538202c 61366537 202c3066 33386131
0050: 63373030

The Automatic Updates service hung on starting.
User avatar
sallan29
Geek in Training
Geek in Training
 
Posts: 17
Joined: Thu Jan 30, 2003 1:00 am
Location: United Kingdom

Thanks given:3
Thanks received:0
Top

Next

Return to Malware Support

Who is online

Users browsing this forum: No registered users and 2 guests

cron