Win32:Agent-AAXE [Trj] - Can't remove

Viruses and worms
1

I just downloaded the home edition of avast and installed it on a Windows XP system.

Scanning the memory, avast finds a trojan horse:

File name: c:\windows\system32\svchost.exe

Malware name: Win32:Agent-AAXE [trj]

Malware type: Trojan Horse

VPS version: 081204-0, 12/04/2008

I have let avast to the scan on boot, but it is unable to remove the file because it is read only. Seems like this is a copy of the actual valid file Windows uses, but do not know. Avast has not been able to get rid of this.

Any ideas?

2

don’t choose to remove or chest anything… what is your OS version (language, service pack version)?

3

can you send the file to us (from the dialog - report as false positive) asap? we need to analyse it

4

btw: this doesn’t mean it is really a false positive, but we need to be sure, when we’re dealing with the svchost…

5

Isn’t this file digitally signed? Isn’t avast, by default, skipping these digitally signed files? ???

6

I will run the thing again and post what it spits out.

I am quite certain it is not a false positive. Whatever it is, it’s playing havoc with a few things. For example, I run a search in yahoo, and I end up on some ad page. Very annoying.

7

If you check your copy of svchost.exe you will see it isn’t digitally signed, it isn’t on mine XP Pro SP3. Nothing in file properties about a security certificate.

I just wonder if there is any mileage in recording the MD5 for some of the more common essential MS files like svchost which aren’t digitally signed, to be used in place of the security certificate ???
e.g. if any of them are detected compare md5s against an MD5 database for those files and different versions, whilst this could indeed be very complex and messy with the different OSes and file versions, etc.

Perhaps another option is to add it to the system files in the chest with the others, kernel32.dll, etc. Is there a case as previously suggested to include other essential system files to the ones backed up in the system files section of the chest ???

svchost.exe
MD5:
27C6D03BCDB8CFEB96B716F3D8BE3E18

SHA1:
49083AE3725A0488E0A8FBBE1335C745F70C4667

8

Ok, here is what I’ve got going on so far:

I downloaded and ran Malwarebytes Anti Malware. It found some stuff and cleaned it out. Here is the log:

Malwarebytes’ Anti-Malware 1.31
Database version: 1464
Windows 5.1.2600 Service Pack 2

12/5/2008 3:04:00 PM
mbam-log-2008-12-05 (15-04-00).txt

Scan type: Quick Scan
Objects scanned: 55899
Time elapsed: 6 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 6
Folders Infected: 2
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\Proxy.dll (Trojan.Agent) → Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces{bfce9407-d89e-4f34-91af-460b6afd61d7}\NameServer (Trojan.DNSChanger) → Data: 85.255.112.86;85.255.112.189 → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces{c807a8f8-48fa-490d-894c-1186b9c207a2}\NameServer (Trojan.DNSChanger) → Data: 85.255.112.86;85.255.112.189 → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces{bfce9407-d89e-4f34-91af-460b6afd61d7}\NameServer (Trojan.DNSChanger) → Data: 85.255.112.86;85.255.112.189 → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces{c807a8f8-48fa-490d-894c-1186b9c207a2}\NameServer (Trojan.DNSChanger) → Data: 85.255.112.86;85.255.112.189 → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces{bfce9407-d89e-4f34-91af-460b6afd61d7}\NameServer (Trojan.DNSChanger) → Data: 85.255.112.86;85.255.112.189 → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces{c807a8f8-48fa-490d-894c-1186b9c207a2}\NameServer (Trojan.DNSChanger) → Data: 85.255.112.86;85.255.112.189 → Quarantined and deleted successfully.

Folders Infected:
C:\resycled (Trojan.DNSChanger) → Quarantined and deleted successfully.
C:\Documents and Settings[name]\Start Menu\Programs\homeview (Trojan.DNSChanger) → Quarantined and deleted successfully.

Files Infected:
C:\RECYCLER\S-1-5-21-1844237615-1957994488-1343024091-1003\Dc1.dll (Trojan.FakeAlert) → Quarantined and deleted successfully.
C:\resycled\boot.com (Trojan.DNSChanger) → Quarantined and deleted successfully.
C:\WINDOWS\system32\Proxy.dll (Trojan.Agent) → Delete on reboot.

After I rebooted, I ran a full scan with Anti-Malware again and it found nothing.

I just ran the avast memory and startup test and it it is still finding the AAXE thing I posted in the original post. Of course, I am not able to move the file to the chest. Here are the last several entries in the warning log:

2/5/2008 1:37:06 PM SYSTEM 1648 Sign of “Win32:Agent-AAXE [trj]” has been found in “C:\WINDOWS\System32\svchost.exe” file.
12/5/2008 1:41:34 PM SYSTEM 1648 Sign of “Win32:Inject-EV [trj]” has been found in “C:\DOCUME~1[name]~1\LOCALS~1\Temp\sfcaofyx.dll” file.
12/5/2008 2:51:51 PM SYSTEM 1648 Sign of “Win32:Inject-EV [trj]” has been found in “C:\DOCUME~1[name]~1\LOCALS~1\Temp\sfcaofyx.dll” file.
12/5/2008 3:06:37 PM SYSTEM 1576 Sign of “Win32:Agent-AAXE [trj]” has been found in “C:\WINDOWS\System32\svchost.exe” file.
12/5/2008 3:14:14 PM [name] 2540 Sign of “Win32:Agent-AAXE [trj]” has been found in “c:\windows\system32\svchost.exe” file.
12/5/2008 3:15:08 PM SYSTEM 1576 Sign of “Win32:Agent-AAXE [trj]” has been found in “C:\WINDOWS\system32\svchost.exe” file.
12/5/2008 8:04:46 PM [name] 4284 Sign of “Win32:Agent-AAXE [trj]” has been found in “c:\windows\system32\svchost.exe” file.

I used [name] in place of where my name appears.

I’m not sure if I have this still or not.

9

ok… the detection is probably valid… what you can do is to boot from the OS installation CD, go to the repair console and replace the svchost with the original one from the CD… the Agent-AAXE detection catches the files injected with a reference to proxy.dll (considered as being malicious), this seems to be the point of your infection…

Tech: these system files aren’t signed directly, but are signed trough the catalogs… there are two points - the validation of the catalog signature should fail (the file is injected) and even when this situation occurs, avast can’t allow you to delete svchost, cause it is too much important (remember the deletion of the registry references) and a remove option could make a lot of harm…

10

What about the suggestion to keep a copy of svchost.exe or other essential system files in the System Files section of the chest, the three there really are lonely ?

Would than not allow for the replacement if the infected version on the boot-time scan as is suggested when there is an infected item in memory ?

11

Because I had service pack 2 on the machine, I received an error regarding the fact that the CD was too old.

I tried a few ways to replace svchost.exe and none of them worked. The easiest solution was to go ahead and install service pack 3, which worked.

To summarize - I was able to remove this trojan by doing the following:

  1. Download/Install/Run Malwarebytes Anti Malware
  2. Install service pack 3 to replace svchost.exe

avast no longer reports an issues.

Thanks for the help!

12

Thanks for the feedback, glad that you have it resolved now.