Jump to content

Problem With Trojan-aax5


Recommended Posts

This is a small summary of what I been doing to fix this PC:

I'm cleaning the viruses from this computer that belongs to somebody else and I have cleaned several infections completely with tools like Mbam and Superantispyware wich I ran twice to be sure that the infections were removed but I still have a problem with one.

The computer was in pretty bad shape when it was given to me, it had quite a few viruses (including a couple of dowloaders uffff!) and I couldn't even boot it at first cause there was a virus that was causing the computrer to restart automatically so I entered Safe mode and worked from there until I was able to start it in normal mode after removing most viruses from it.

After starting in normal mode there were still a few viruses left (one virus that infected a Windows file and was attempting to send a whole bunch of e-mails) and after some more work I was able to remove those viruses too and replace the damaged Windows file (ndis.sys) from outside Windows and I was able to stabilize it and I continued to work from there in normal mode until I removed most viruses and malware.

Most good anti-virus and anti-spyware programs are giving me a zero result in their scans now and that includes several like Mbam antimalware, SuperAntispyware, EsetNod32 online scan, BitDefender online scan etc. The PC was running Norton System works 2003 and I told her that she should upgrade the antivuirus to a newer tool so I removed Norton and at the moment it is runing with Avast free until further notice and the Avast scan also came completely negative.

The problem that I still have is that I ran the online Spysweeper tool from Webroot and it is indicating to me that the PC is infected with trojan-aax5. It says that it found this key in the registry.

HKU\S-1-5-21-2410742245-3193691662-3526516414\software\Microsoft\active setup\installed components\{28abc5c0-4fcb-11cf-aax5-81cx1c635612}\

With some previous viruses I had to delete some keys from the registry and some files manually to remove them and I was sucsessfull. As you can see most antivirus software is giving me zero results but this key that Spysweeper indicated doesn't appear in the registry when I look for it and I cannot remove this virus from Spysweeper cause the free version doesn't do that.

This HKey_Users area HKU\S-1-5-21-2410742245-3193691662-3526516414 is not in the registry what I have is something similar:

HKU\S-1-5-21-2410742245-3193691662-3526516414-1009 but that value {28abc5c0-4fcb-11cf-aax5-81cx1c635612} is not there.

Is there something running in memory blocking this key? How can I remove this nasty from the PC? In one place where I read about this trojan it said that it also can block Windows from reporting that there are upgrades available for Windows and that it can also block Windows from reporting if the antivirus is out of date. The place said that it can also replace Windows Explorer with a copy.

This makes me suspect even more that the PC is indeed infected with this nasty cause I used the link in Internet Explorer to go to the Windows Update page to see if there were updates pending and there were 33 pending (about 72 megabytes of download).

This PC has been conected to the Internet for several days now and I have not seen one single Windows update message and the automatic feature is turned on wich is very odd.

I would appreciate any help with this.

This is a Hijack This log that I just did with a brand new download of the software:

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 8:42:38 PM, on 8/30/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\Program Files\Webroot\Security\Current\Framework\WRConsumerService.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\igfxsrvc.exe

C:\Acer\Empowering Technology\eRecovery\eRAgent.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe

C:\Program Files\Webroot\Security\Current\Framework\WRTray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\igfxext.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\DOCUME~1\Gladimir\LOCALS~1\Temp\RtkBtMnt.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Webroot\Security\current\plugins\antimalware\AEI.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\System32\svchost.exe

C:\Documents and Settings\Gladimir\Desktop\HijackThis.exe

C:\Program Files\Alwil Software\Avast5\setup\avast.setup

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: facemoods Helper - {64182481-4F71-486b-A045-B233BD0DA8FC} - C:\Program Files\facemoods.com\facemoods\1.3.61.8\facemoods.dll

O2 - BHO: Windows Live Aplicaci

Link to post
Share on other sites

Updated and ran Mbam again and this is the log:

(look at the rest of the text after log)

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4525

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

9/1/2010 7:37:04 PM

mbam-log-2010-09-01 (19-37-04).txt

Scan type: Full scan (C:\|)

Objects scanned: 180804

Time elapsed: 1 hour(s), 48 minute(s), 23 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Also before this I had gone into the control panel and changed the security settings temporary to download and install updates with my permission only (I'll change this back to automatic for the owner of this PC after all this of course cause it's better. In my PC I have in this the other way always cause I can control the bandwidth like that) and this seems to have reset the automatic updates cause the Windows yellow shield appeared again in the System Tray after this and I ran two or three restarts cause it kept appearing a few times with additional updates after restarting as it usually does and all the Windows updates were done.

I also downloaded (to desktop) and ran that other script of yours after the Mbam scan but it produced no logs whatsoever it just finished and closed ????

Link to post
Share on other sites

  • Staff

Hi,

for the owner of this PC after all this of course cause it's better.
Whose computer is this? A friend's? A customer's?

Download RSIT by random/random and save it to your Desktop.

  • Double click RSIT.exe to start the tool and click Continue at the disclaimer.
  • When the scan completes it will open a log named log.txt maximized, and a log named info.txt minimized.
  • Please post the contents of both logs here in your next reply.

Link to post
Share on other sites

It is somebody else's computer. It belongs to somebody that ask me for help with computer trouble. When it was given to me it was in pretty bad shape, as I said it couldn't even boot in normal mode.

I ran it as you indicated but it only produced a maximized log.txt file not a minimized one. ???

Logfile of random's system information tool 1.08 (written by random/random)

Run by Gladimir at 2010-09-06 02:16:32

Microsoft Windows XP Home Edition Service Pack 3

System drive C: has 130 GB (88%) free of 148 GB

Total RAM: 1012 MB (46% free)

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 2:16:42 AM, on 9/6/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Acer\Empowering Technology\eRecovery\eRAgent.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE

C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\igfxext.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Webroot\Security\Current\Framework\WRConsumerService.exe

C:\Program Files\Webroot\Security\Current\Framework\WRTray.exe

C:\Program Files\Webroot\Security\current\plugins\antimalware\AEI.exe

C:\Documents and Settings\Gladimir\Desktop\RSIT.exe

C:\Program Files\trend micro\Gladimir.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Windows Live Aplicaci

Link to post
Share on other sites

Ah don't worry somebody else at the Computer Hope forum helped me with this PC. The consensus was that it was a false positive. Everything has been fixed now and the PC is running OK and I followed some recommendations from the person that helped me there and the PC has a better defense now to try to prevent future problems.

Many, many viruses were removed from the computer and many things were corrected. The recovery console was installed by ComboFix because it didn't have it installed. Old system restore points were deleted and a new one was created after the fixes.

System files were checked, all windows updates were done, Avast free antivirus was installed along with Online Armor firewall, WOT plugins were installed for both browsers, Spyware Blaster was installed to add another layer of protection. Well many other things were done.

You can see the whole thread at this address if you wish:

http://www.computerhope.com/forum/index.ph...c,109614.0.html

So sorry for this, it is just that at first I was asking for help in that other forum and I wasn't receiving an answer for a while so I asked for help here and then somebody there started to help me and we started from there. So anyway thanks for your help.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.