Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Security Alert - Trojan-spy.win32.keylogger.aa


  • Please log in to reply
4 replies to this topic

#1 Pat34

Pat34

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 27 August 2008 - 04:56 PM

I have the same problem that hawks32 had on August 25th but mine started showing up yesterday on a fake Windows Alert for Trojan-Spy.Win32.Keylogger.aa. I know it is fake by the block and unblock were grayed out ... Now how do I get rid of this??? ...

I have systematically been trying to fix this box since the 25th that started with the joke.blushod. I have downloaded and researched everything to get rid of the first one including malware. It did get rid of it at first then showed back up yesterday with a lot more.

I ended up buying Kaspersky Internet 2009 ... got rid of some of the problem. Then Spyware Detector got rid of some more. The windows XP automatic update is failing due to requesting MicroSoft Professional location for FrontPage even though this is Windows XP Home Edition.

I then ran sdfix (which finally grabbed the identified .exe for joke.blushod and deleted. I then ran combofix. But after combofix ran norton did not come back even after a reboot though Kaspersky's is back up. I don't know how to interpret the combofix log and since the fake windows alert is still happening and the windows updater won't work I am assuming that I cleaned up more ... but still not all.


I would appreciate any help I can get to fix this issue as one of the windows updates was to fix a security breach.

Please help as I know this box is infected with more and I have three other computers on this home network and want to protect them !!!! :thumbsup:

BC AdBot (Login to Remove)

 


#2 possumbarnes

possumbarnes

  • Members
  • 333 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tennessee, USA
  • Local time:01:33 PM

Posted 27 August 2008 - 05:44 PM

Block and unblock were grayed out on what? Kaspersky virus warning?

I have systematically been trying to fix this box since the 25th that started with the joke.blushod. I have downloaded and researched everything to get rid of the first one including malware. It did get rid of it at first then showed back up yesterday with a lot more.

Would like a little more data here. What programs did you download and run to try and get rid of the joke BSOD?

I then ran combofix. But after combofix ran norton did not come back even after a reboot though Kaspersky's is back up. I don't know how to interpret the combofix log and since the fake windows alert is still happening and the windows updater won't work I am assuming that I cleaned up more ... but still not all.

Running combofix without experience with it is VERY dangerous to your system. There is a warning at the top of your post in big bright blue letters:
When posting your problem, do not run and post a ComboFix logs. ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer. Any posts containing CF Logs will be ignored.

AND FINALLY, to get rid of the win32.keylogger.aa, try this:
1. Download Malwarebytes’ Anti-Malware (mbam-setup.exe) and save it on your Desktop.
2. After downloading, double-click on mbam-setup.exe to install the application.
3. Follow the prompts and install.
4. Before the installation completes, check on the following prompts:
- Update Malwarebytes’ Anti-Malware
- Launch Malwarebytes’ Anti-Malware
5. Click “Finish.” Program will run automatically and you will be prompt to update the program before doing a scan. Please update.
6. Scan your computer thoroughly.
7. When scanning is finished click on the “Show Results”
8. Make sure that all detected threats are marked, click on Remove Selected.
9. Restart your computer.
10. Post the MBAM log in your next reply.
What's more irrational--a guy who believes in a God he cannot see or a guy who is offended by a God he doesn't believe in?

#3 Pat34

Pat34
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 27 August 2008 - 07:03 PM

As for the combofix ... yes but I got the instructions from the techsupportforum prior to finding this forum signing up and posting with a complete set of instructions and links to the how-to-use-combofix .. prior to seeing that ...

The malwarebytes - anti malware is what I ran on the 25th which is what I thought got rid of the original problem of the joke.blushod that only returned two days later (no the box was not connected to the internet ... I had disabled). The spyware dector found more of it ... but norton anti-virus kept complaining it could not remove the rest of it ... then I bought Kaspersky Internet 2009 (it could detect but could not remove a lot of the violaters.

THe joke.blushod was not finally gone until the sdfix found the underlying executable to the .scr file today and deleted it todad (I hope). The Kaspersky did not even warn when I kept getting the fake popup. Most of the files were dropped or created themselves in the c:\system32 drive on when the joke(haha) showed up and though I could see them ... since I did not know what all they did I did not manually delete them.

I was hunting around after posting this and went on the Kaspersky forum and a user had the same problem with the same fake pop-ups of the keylogging. The recommendation given was was for super anti-spyware. http://www.superantispyware.com .... when I downloaded this (free 15 day fully functional trial) it found the trogan.dropper/gen, adware tracking cookies and trojan.fakealert/Desktop which it promptly removed.

With each of these program getting pieces I am not sure yet whether I am free of the trojans or not and would like a recommendation ... since none of these antispywares does it all ...

#4 possumbarnes

possumbarnes

  • Members
  • 333 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tennessee, USA
  • Local time:01:33 PM

Posted 27 August 2008 - 10:11 PM

Superantispyware runs best in safe mode, from my experience anyway (and you don't need the full version, the free home version has the same scan engine). Boot into safe mode, open Superantispyware and go to Preferences - Scanning Control - Scanning options. Make sure to check
CLOSE BROWSERS BEFORE SCANNING
SCAN FOR TRACKING COOKIES
TERMINATE MEMORY THREATS BEFORE QUARANTINING
Then run a full scan while in safe mode. See if it finds anything else.
What's more irrational--a guy who believes in a God he cannot see or a guy who is offended by a God he doesn't believe in?

#5 Pat34

Pat34
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 28 August 2008 - 09:08 AM

Safe mode (superantispyware) produced no errors. I re-ran Kaspersky and finding 3 detected for a Huer.Trojan/General and quarantined. Two in the registery keys that are executables and the other in a directory. I sent them on as these are consider general by their new system and they need to analyze.

However in the process I noted the one was in a folder I could not see (hidden). I unhid all the folders I cound and went back into safe-mode as administrator and found full-control given to public on the alluser/application and a lot of other hidden folders. Newest problem is everytime I right-click on start it is going to a Windows Installer (not sure if this is self caused as looking for the symantec that never showed back up after the combofix run), once I "X" out of that twice I can see the explore. -- Any ideas for this?

Update: I think I have determined with all the files that were hidden that there is sometype of rootkit involded. I did do another scan with the SpwareDetector that I also bought and found these 6 additional items that Kaspersky nor SuperAntiSypware found ... Backdoor.Bifose, Adware.Kazaa, Backdoor.RA-Based, Trojan.NetCat, Spyware.Reboot, Trojan.Agent.

Either this box is getting re-infected or there is some kernel based rootkit that is wreaking havoc. Thoughts?

Edited by Pat34, 28 August 2008 - 11:31 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users