Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Trojan horse Crypt.AXH Please Help


  • Please log in to reply
3 replies to this topic

#1 ComputerArt365

ComputerArt365

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 06 December 2008 - 12:14 AM

Domain has a server and 9 attached computers. Server is running Windows Server 2003 SB and workstations all have XP Pro.

3 or 4 workstations have Trojans. Only one has this one. I thought if I learned how to remove this one I could remove the others.

Trojan is detected in AVG 8 Network edition and is moved to the vault successfully, but it reinstalls at random or on reboot of the computer.

I have isolated this one workstation, shut down the rest after running AdAware, Spybot S&D, Malwarebytes, SuperAntiSpyware, and updating windows. I have also looked in the registry for what is being run. I have reviewed the HiJack This log and made minor changes with no success.

I ran Combo Fix on one workstation and have booted it up successfully, but now that workstation is shut down to isolate the problem on this one. Trojan seems to jump to other computers on the network as soon as you remove it with AVG 8.

I remove spyware and viruses as a vocation, and am fairly expierenced, but now I need some help.

BC AdBot (Login to Remove)

 


#2 harrythook

harrythook


  • Security Colleague
  • 4,152 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philadelphia
  • Local time:04:24 AM

Posted 07 December 2008 - 07:08 AM

Without seeing what exactly is in the machine its going to be tough to clean it out. Crypt.AHX is a generic naming of an infection, I know F-Secure has it in their definitions.
With any infection you believe is "jumping" from machine to machine, there is a strong possibility that the entire network is infected. Any machine that is connected to the net there might have the capability to spread the infection, possibly through contact lists (bad if you have customers info). I would recommend dropping the network until its cleaned up, if you believe the infection is replicating itself on other machines.
Cleaning one machine might give you some idea what's going on in the others, but remember malware can come bundled with other stuff.

As this seems to be a business application, I would think you would be best served by hiring someone to give you a hand. You can revisit HERE and read the preparation guide, and then post the logs requested. Be prepared, there is a bit of a backlog in answering requests for help right now.

I must caution you about launching tools on your own, some of the things used here will destroy an OS or programs if run incorrectly. The use of tools on a server platform can be deadly to the machine. You seem knowledgeable, but you are getting into an area most IT people don't deal with. Please use caution.

Harry

Veni Vidi Vici
THE FIGHT AGAINST MALWARE

Become a BleepingComputer fan: Facebook

#3 ComputerArt365

ComputerArt365
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 08 December 2008 - 02:53 AM

I was thinking of something similar. I shut down all workstations but one. I found windows updates were not complete, so I updated windows and ran all removers again. Rebooted and the Trojan did not reinstall. Continued the same proceedure with all 9 workstations, only turning on one at a time. Looked at the AVG virus vault and the log of when trojan was detected and where it was removed from each machine. I found one that was the first to be infected with two different trojans. Call it workstation Debbie. Looked at the IE History for those days and discovered Trojans first found in IE Temp folder. Looked in IE browsing history for those days and narrowed down source of problem to two or three places. Later trojan was found in system32 and even _restore files on other workstations. As soon as deleted from one computer it would jump to Documents and Settings\Network Service\Local Settings\Temporary Internet Files\Content.IE5\(IEsubfoler name)\(example)[1].jpg on other machines.

Workstation Debbie is using a My Yahoo home page with Rss feeds. Also some of the yahoo cookies or images show up at the same time. Suspects are: Xbox promotion, yahoo mediaplex link, a site called about.com, and a yahoo link called julianne hough.jpg (country western star).

Suggested to the owner of the business have this user use Firefox instead or up the security of IE 7 and use google homepage (not my Yahoo).

Booted up all workstations and ran scan on all +plus server. Only, Workstation Debbie, still had a Trojan in the system32 folder (x.dll) I cleaned this one and now everything looks good.

The real test will be when they open business on Monday morning. Thanks for your comments Harry! :thumbsup:

#4 harrythook

harrythook


  • Security Colleague
  • 4,152 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philadelphia
  • Local time:04:24 AM

Posted 09 December 2008 - 05:53 PM

Tuesday night, still got a client? :thumbsup:

Veni Vidi Vici
THE FIGHT AGAINST MALWARE

Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users