Software > Computer viruses and spyware
Problem With Trojan-aax5
PixelOz:
But what are you saying? The PC's condition has not changed. The Webroot program still indicates that it is infected with Trojan-aax5 and those keys are still locked which will prevent the update of the Acrobat Reader. ???
SuperDave:
The scans show no evidence of Trojan-aax5 . It could be a false-positive in WebRoot.
SUPERAntiSpyware
If you already have SUPERAntiSpyware be sure to check for updates before scanning!
Download SuperAntispyware Free Edition (SAS)
* Double-click the icon on your desktop to run the installer.
* When asked to Update the program definitions, click Yes
* If you encounter any problems while downloading the updates, manually download and unzip them from here
* Next click the Preferences button.
•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts
* Click the Scanning Control tab.
* Under Scanner Options make sure only the following are checked:
•Close browsers before scanning
•Scan for tracking cookies
•Terminate memory threats before quarantining
•Please leave the others unchecked
•Click the Close button to leave the control center screen.
* On the main screen click Scan your computer
* On the left check the box for the drive you are scanning.
* On the right choose Perform Complete Scan
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete a summary box will appear. Click OK
* Make sure everything in the white box has a check next to it, then click Next
* It will quarantine what it found and if it asks if you want to reboot, click Yes
•To retrieve the removal information please do the following:
•After reboot, double-click the SUPERAntiSpyware icon on your desktop.
•Click Preferences. Click the Statistics/Logs tab.
•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
•It will open in your default text editor (preferably Notepad).
•Save the notepad file to your desktop by clicking (in notepad) File > Save As...
* Save the log somewhere you can easily find it. (normally the desktop)
* Click close and close again to exit the program.
*Copy and Paste the log in your post.
PixelOz:
Well it could be a false positive indeed cause I ran a lot of the good anti-virus tools on this machine and they don't detect anything anymore and the only one detecting that is Webroot. I mean I ran The Norton online scan, Panda online scan, Bitdefender online scan, Superantispyware, MBam, Eset online scan, FProt online scan, F Secure online scan, The Avast antivirus scan and nothing so I'm suspecting that cause I doubt that indeed that many good tools could have missed such an infection so what you say makes sense.
Anyway the other problem was those locked registry keys.
Those in the HKEY_LOCAL_MACHINE area (they are listed in the ComboFix log that I posted, look for them)
The following keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS
I checked them in my Windows XP Home machine registry and I could access them OK but in this other machine when I double clicked in them I got the following message:
cannot edit : error reading the value's contents.
Well I checked and all the permissions that were suppose to be there for those keys and they were gone, I mean completely not there so I put all the corresponding permissions back and I can access them again and they are showing the way they are supposed to do.
I rebooted the machine to see if it was OK and the keys are still normal so I ran the Acrobat Reader updater and it updated without problems this time. So that seems to be fixed. Malware damage from some of all those viruses that were removed from this PC? Corrupted values due to disk error? I don't know (I did run a disk error check and fix a while ago already just in case). So finally I seem to have found what was wrong with those keys.
That seems to point even more in the direction of a false positive. I will run Superantispyware as you indicated just to be sure and I will post the results shortly but so far we seem to be going in the right direction and after that post we will proceed with the rest of the procedures that you indicated. OK?
PixelOz:
MBAM log after scan with specified parameters (Nothing to it just some cookies that it removed so I think that we are good):
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 09/08/2010 at 01:30 AM
Application Version : 4.41.1000
Core Rules Database Version : 5468
Trace Rules Database Version: 3280
Scan type : Complete Scan
Total Scan Time : 03:54:41
Memory items scanned : 501
Memory threats detected : 0
Registry items scanned : 6880
Registry threats detected : 0
File items scanned : 45207
File threats detected : 30
Adware.Tracking Cookie
C:\Documents and Settings\Gladimir\Cookies\gladimir@revsci[1].txt
C:\Documents and Settings\Gladimir\Cookies\[email protected][1].txt
C:\Documents and Settings\Gladimir\Cookies\gladimir@adbrite[1].txt
C:\Documents and Settings\Gladimir\Cookies\gladimir@advertising[1].txt
C:\Documents and Settings\Gladimir\Cookies\gladimir@clickfuse[1].txt
C:\Documents and Settings\Gladimir\Cookies\[email protected][1].txt
C:\Documents and Settings\Gladimir\Cookies\gladimir@interclick[2].txt
C:\Documents and Settings\Gladimir\Cookies\gladimir@zedo[1].txt
C:\Documents and Settings\Gladimir\Cookies\gladimir@dmtracker[1].txt
C:\Documents and Settings\Gladimir\Cookies\[email protected][1].txt
C:\Documents and Settings\Gladimir\Cookies\gladimir@yadro[2].txt
C:\Documents and Settings\Gladimir\Cookies\gladimir@specificclick[2].txt
C:\Documents and Settings\Gladimir\Cookies\gladimir@pointroll[1].txt
C:\Documents and Settings\Gladimir\Cookies\gladimir@invitemedia[1].txt
C:\Documents and Settings\Gladimir\Cookies\[email protected][1].txt
C:\Documents and Settings\Gladimir\Cookies\[email protected][2].txt
C:\Documents and Settings\Gladimir\Cookies\gladimir@atdmt[1].txt
C:\Documents and Settings\Gladimir\Cookies\[email protected][1].txt
C:\Documents and Settings\Gladimir\Cookies\[email protected][1].txt
C:\Documents and Settings\Gladimir\Cookies\gladimir@doubleclick[1].txt
C:\Documents and Settings\Gladimir\Cookies\[email protected][1].txt
C:\Documents and Settings\Gladimir\Cookies\gladimir@liveperson[3].txt
C:\Documents and Settings\Gladimir\Cookies\gladimir@pro-market[2].txt
C:\Documents and Settings\Gladimir\Cookies\[email protected][1].txt
C:\Documents and Settings\Gladimir\Cookies\[email protected][1].txt
C:\Documents and Settings\Gladimir\Cookies\[email protected][2].txt
C:\Documents and Settings\Gladimir\Cookies\gladimir@hitbox[1].txt
C:\Documents and Settings\Gladimir\Cookies\gladimir@fastclick[1].txt
C:\Documents and Settings\Gladimir\Cookies\gladimir@trafficmp[1].txt
C:\Documents and Settings\Gladimir\Cookies\gladimir@liveperson[1].txt
PixelOz:
ComboFix has been deinstalled.
TFC was run as instructed.
OTC was run as instructed.
Online Armor firewall was installed to compensate for lack of it in Avast free version.
Secunia check and more things pending.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version