Win32:Agent-MYB [Trj] rhcl9tj0end.exe

Hello guys. This is my first posting on avast’s site, although I’ve been an avast! user for years now.

This is one Trojan I really had a problem getting the “Move to chest” button to work on. It simply didn’t work; or maybe it did, and it just kept finding spawned copies of the Trojan again? (??)

Problems I’m having at the moment with avast!
The file is in my temp file and if I click on “Move to chest” (well the information has changed now from what it was earlier) – at first there was an error, saying it couldn’t be moved because another program was using it. Now the error states “Cannot process” - There is not enough space on the disk.

  1. How was it detected? What was scanning, you yourself or the back-ground scanner? When did the message occur on a download, unzipping, opening a file, mail or mail-attachment, etc.?

Reading on this forum I’ve discovered it is a “Backdoor Trojan”.

I’ll have to say this problem was caused by me clicking on a link. I was looking at a supposed MSNBC link and I clicked on it to read the news. Things started to get hung up, I click CTL-ALT-DEL to force IE to close. I got 2 Not Responding messages.
Then I had avast!'s Nuclear warning go off, saying it had found a virus, the one I listed above in this post Win32:Agent-MYB [trj] rhcl9tj0end.exe
When I tried to move the file to the chest, avast! gave an error message that stated that it wasn’t able to move it, because the file was being used elsewhere.
For about an hour now I have been doing an avast! Virus Cleaner Tool scan, and earlier I scanned with AdAware. AdAware didn’t find anything wrong with my system with this new Trojan I think I found.

It’s possible the name of this virus is so new, it’s not really “out there” yet. I did a google search and only found one reference to it on a Germany site w/a broken link.

  1. What was the source of the file, where did the file come from?.: e.g. address, URL, source.

I felt a chill of regret as I looked back at the MSNBC file I received in my email. The email sender was malariap1958@yahoo.com. I knew I had screwed up.

  1. When was it downloaded or received?
    About 12.20pm, Wednesday August 13, 2008.

  2. What is the exact file name with extension.

[b]Win32:Agent-MYB [trj]

rhcl9tj0end.exe[/b]

It is referred to as being a “helpful antivirus software program” called “Antivirus XP 2008”

  1. What was the exact wording of the message that the AV program came up with? This is important for later.

“A Trojan Horse Was Found!”
Available actions (Move/rename - Delete - Move to Chest)
Recommended action: Move to chest

(I filled out a Virus report about this virus.)

Important!!! CLICKING on “Move to chest” isn’t working as it usually does – brings up a red, avast! error saying at first that it could not be moved because the file was being used by another program. (I’m assuming in this case it was Internet Explorer.) Now it’s saying there isn’t enough room on the disk to move the file - not sure if they’re talking about the temp file? I don’t know what this means, I have about 200 gigs left on my hard drive. (Plz forgive my ignorance here.)

  1. Now go back and do nothing yet. Scan the particular file once again with your AV product.

If I right click on the file in its location to do an avast! scan (C:\Program Files\rhcl9tj0end1) - nothing happens! :frowning: :cry:

I have tried to end the process of rhcl9tj0end1.exe in Windows Task Manager (CTL-ALT-DEL) but nothing happens. The Trojan is using 37,788K.

I have WinXP SP3 w/all updates. There was just an update last night that I installed as well. AdAware and SpyBot is up to date.

I was real worried about Adaware not finding anything wrong w/my computer, so I’m running a scan again.

EDIT! I forgot to add a couple of details that also happened during the infection of my computer. There’s a bright blue screen that replaced my own BG image and it says “Warning! Spyware detected on your computer! Install an antivirus or spyware remover to clean your computer.”

Also in the first few minutes of the virus, it had installed a small icon in my processes area - over there were avast! is located. Every once in a while it would pop up a note saying my computer was infected w/1795 viruses or so. The icon is gone, but the process of the trojan .exe file is still appearing in my Task Manager.

If ad aware finds anything post it up

when finished with ad-aware scan update avast and then rt click on the ball and schedule a boot time scan
reboot
see if you can then move to chest

then update and run
http://www.malwarebytes.org/rogueremover.php
and then update and run
MBAM
http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?hhTest=1

Microsoft
http://www.microsoft.com/security/malwareremove/default.mspx

and
http://www.ewido.net/en/onlinescan/

are also reputed to work on this infection

post back

Thank you very much, wyrmrider, I will do what you’ve suggested and get right back to repost.

Hey there! When I right click on the ball, I’m not sure which option to pick for scheduling a boot time scan. I’m using the Home version.

I’m not the right one to ask as I’m on w98 and do not have the option
I do understand that help is helpful :slight_smile:
I found this with search
are you running 2000-xp?

Thanks to DavidR from January- update first

No, there isn’t. But you can you schedule a boot-time scanning:

Click on the Menu button.
Choose Schedule Boot Time Scan.
Doing so displays a dialog allowing you to schedule virus scanning.
Check Archives, if you want scan all the archives.
Specify whether all the disks or just a specific folder should be scanned.
Select Advanced options for scheduling details.
Select how to automatically process infected files.
Choose how to automatically process infected system files.
Click the Schedule button to confirm the settings.

If infected files are found, it’s safer to send them to Chest instead of deleting them.
This way you can further analysis them.

tech also says about the same thing in this thread
http://forum.avast.com/index.php?topic=37870.0

the report will be here
The report file is created automatically in \Data\Report\aswBoot.txt

Aha!!

Actually I’m running Win XP Pro sp3. And I did find the button, it looked like a link on the recurring “Trojan Horse was found” avast! message.

I did the reboot scan as you suggested and it found one Win32 Trojan gen {other} thing, which I opted to Move to chest in the boot scan, and it worked.

The AdAware scan brought up 2 pieces of critical Malware, which I opted to have deleted – should I have “Quarentined” those instead?

As I logged-in, my computer went a little crazy as I had SpyBot-SD Resident and avast! giving me multiple messages of viruses.

So I then used the second instruction that you gave me, I used “Malwarebytes’ Anti-Malware” and I’m tellin’ ya – I think it worked!!

I saw it specifically removing the “Anti Windows 2008” thing, and there were quite a few of them in various places.

After that, it requested another reboot. This time – system looks really normal.

I have a really good feeling about this – and I’m so grateful to you right now, if you were here I’d give ya a very big hug! lol ;D

[b]I also did the other 2 steps that you listed: Microsoft
http://www.microsoft.com/security/malwareremove/default.mspx

and
http://www.ewido.net/en/onlinescan/
[/b]

The first 2 links for Malwarebytes looks like the same file to me, I renamed the second one when I DL’d it, but I didn’t use the second one.

“then update and run
http://www.malwarebytes.org/rogueremover.php
and then update and run
MBAM
http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?hhTest=1

I think this is it though - I hope. Let me know what I should do. It seems ok. I am SOOO grateful!! :smiley:

Thank you so, so much. My computer is my whole life. lol

Well it looks as if you beat the crap out of the 2008 exploit (and 2009 is worse)
however without posting the logs no one can tell is there is other bad stuff there

on ad-aware and all programs- quarantine is the best choice and post up what they were
paths etc

since you have spybot (t-timer?) did you run a spybot scan?

what I’d do now is run the kaspersky on line scan
it will not fix anything but will find some things that others will not
in this case it is imperative to post back any hits

if it does find anything you could try a scan with SUPERANTISPYWARE
and post the log