Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
I've got this Aux.exe file that has attached itself to the Shared Documents folder. It will not delete. Norton catches it and says it is V32.Klez.H@mm. The Symantec site and Google don't have a reference to this bug. I unshared the folder and it stopped changing the system sounds. The only thing I can tell it has done is changing the Windows default sound for "select" to a telephone ringing. After unsharing the Shared Documents folder and changing the "select" sound in Control Panel it has quit harrassing me, but it's still there and won't go away. Little Help Please.
I've run the FixKlez tool, and tried a freeware Delete On Boot, but the little bugger denies access. Thanks for any suggestions.
0 
I'm not sure if you might have misunderstood some of instructions or not...since it is quite complicated...here's the link on how to use the tool.
http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.removal.tool.html
A few things has to be done...
Turn off system restore..link to how near bottom of page
Shut off power to computer and wait 30 seconds....what that does is remove the virus from memory...better yet unplug it for couple min.
Restart computer in safe mode...how to do link about half way down page...running the computer in safe mode ensures that the virus doesnt start up.
If you don't get it to safe mode first try and it boots up to normal mode you will have to shut off power again and wait again because the virus will have loaded up again.
Once in safe mode run the tool and restart computer when done
You will likely have to reinstall your norton...how to do is about half way down page.
Rescan with updated norton again to ensure clean system
Once cleaned up reenable system restore.
You will also likely have to restore files that were screwed by klez from backups.
Here is writeup on klez h
http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.h@mm.html
Good luck
0
Thanks for the reply, but I have successfully removed Klez from several systems. After turning off System Restore, shutting down and waiting a couple of minutes, rebooting into safe mode. I ran the tool and it doesn't find anything.
The thing that is different about this bug from the standard Klez is that it in no way hinders Norton Anti Virus from running. I can do Live Updates and run the system scan, but it doesn't detect anything.
If I share the "Shared Documents" folder and open any share on the network, that is when Norton detects the virus and puts up a warning box with the V32.Klez.H@mm virus name. Of course by that time it already changed the "select" sound to a telephone ring. Norton doesn't do anything with the virus, just a warning box that won't go away unless I log off.
I searched the Norton site for V32.Klez.H@mm and I couldn't find any reference. I did however find W32.Klez, but that evidently is not what this is.
0
ok....we will see where it is hiding...download "hijack this" from site below, unzip the file and run hijack this.exe, click the config button, misc tools, check the "list also minor sections (full), click generate startup list log, save the file and paste it in reply.
I would do it when you have the folder shared since that is when somehow the virus is triggered.http://www.spywareinfo.com/articles/hijacked/
0
Actually I'm getting ahead of myself...download the hijack this prog from link above, unzip, start prog and click the scan button, save that file and paste it in reply.
0
Hy,I have the same problem about aux file..i'm not able to delete the trojan i' tryed all methods but the result is always that.When i try to delete the file, the system respond that the file "for him" doesn't exist. this is the start scan with hijack...
----------
Logfile of HijackThis v1.96.1
Scan saved at 0.37.50, on 19/08/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmi\Norton AntiVirus\navapsvc.exe
C:\Programmi\Symantec\Ghost\ngctw32.exe
\?\C:\WINDOWS\system32\aux.exe
C:\WINDOWS\System32\r_server.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Administrator\Documenti\hijackthis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://192.168.0.1:918; http://192.168.0.2:918; http://192.168.0.5:918
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = iexplore
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SystemTray] SysTrày.exe
O4 - HKLM\..\Run: [Client] "C:\Programmi\TinaSoft\Easy Cafe Client\client.exe"
O4 - HKLM\..\Run: [aux.exe] \\?\C:\WINDOWS\system32\aux.exe
O4 - HKCU\..\Run: [aux.exe] \\?\C:\WINDOWS\system32\aux.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O10 - Unknown file in Winsock LSP: c:\windows\system32\_easywall.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs8.chat.sc5.yahoo.com/v45/yacscom.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37684.0756712963
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D5EE953B-AE6F-4603-A21C-D6162F6CC5D1}: NameServer = 151.99.125.2,151.99.125.3-------------
StartupList report, 19/08/2003, 0.38.37
StartupList version: 1.52
Started from : C:\Documents and Settings\Administrator\Documenti\hijackthis\HijackThis.exe
Detected: Windows XP (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
* Showing rarely important sections
==================================================Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmi\Norton AntiVirus\navapsvc.exe
C:\Programmi\Symantec\Ghost\ngctw32.exe
\?\C:\WINDOWS\system32\aux.exe
C:\WINDOWS\System32\r_server.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Administrator\Documenti\hijackthis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.exe---------------------
Listing of startup folders:
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica]
Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.exe---------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,---------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunNAV Agent = C:\PROGRA~1\NORTON~1\navapw32.exe
SystemTray = SysTrày.exe
Client = "C:\Programmi\TinaSoft\Easy Cafe Client\client.exe"
aux.exe = \\?\C:\WINDOWS\system32\aux.exe---------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunTweak-XP =
aux.exe = \\?\C:\WINDOWS\system32\aux.exe---------------------
Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP[Zip Driver Loader] *
StubPath = C:\WINDOWS\ZipLoad32.exe ASC[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install---------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*Policies Shell key:
HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*---------------------
Checking for EXPLORER.exe instances:
C:\WINDOWS\Explorer.exe: PRESENT!
C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present---------------------
Checking for superhidden extensions:
.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden---------------------
Enumerating Browser Helper Objects:
NAV Helper - C:\Programmi\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
---------------------
Enumerating Task Scheduler jobs:
Symantec NetDetect.job
---------------------
Enumerating Download Program Files:
[Yahoo! Audio Conferencing]
InProcServer32 = C:\WINDOWS\DOWNLO~1\yacscom.dll
CODEBASE = http://cs8.chat.sc5.yahoo.com/v45/yacscom.cab[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37684.0756712963[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab---------------------
Enumerating Winsock LSP files:
Protocol #1: C:\WINDOWS\System32\_easywall.dll
---------------------
Enumerating Windows NT/2000/XP services
Ambiente supporto di rete AFD: \SystemRoot\System32\drivers\afd.sys (autostart)
Audio Windows: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Browser di computer: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Servizi di crittografia: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Client DHCP: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Gestione dischi logici: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Client DNS: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Registro eventi: %SystemRoot%\system32\services.exe (autostart)
Fallback: System32\DRIVERS\HSF_FALL.sys (autostart)
Fsks: System32\DRIVERS\HSF_FSKS.sys (autostart)
GhostPostConfig - Auto Phase Driver: System32\Drivers\ghpcw2k.sys (autostart)
Guida in linea e supporto tecnico: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
K56: System32\DRIVERS\HSF_K56K.sys (autostart)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Helper NetBIOS di TCP/IP: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Machine Debug Manager: "C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe" (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Servizio Norton AntiVirus Auto-Protect: C:\Programmi\Norton AntiVirus\navapsvc.exe (autostart)
Symantec Ghost Client Agent: C:\Programmi\Symantec\Ghost\ngctw32.exe (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
Servizi IPSEC: %SystemRoot%\System32\lsass.exe (autostart)
Archiviazione protetta: %SystemRoot%\system32\lsass.exe (autostart)
Registro di sistema remoto: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
RPC (Remote Procedure Call): %SystemRoot%\system32\svchost -k rpcss (autostart)
Remote Administrator Service: "C:\WINDOWS\System32\r_server.exe" /service (autostart)
Gestione account di protezione (SAM): %SystemRoot%\system32\lsass.exe (autostart)
ScriptBlocking Service: C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe (autostart)
Utilità di pianificazione: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Accesso secondario: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Notifica eventi di sistema: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Firewall della connessione Internet (ICF) / Condivisione connessione Internet (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Rilevamento hardware shell: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SoftFax: System32\DRIVERS\HSF_FAXX.sys (autostart)
Spooler di stampa: %SystemRoot%\system32\spoolsv.exe (autostart)
Servizio Ripristino configurazione di sistema: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SYMTDI: \??\C:\WINDOWS\System32\Drivers\SYMTDI.SYS (autostart)
Temi: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Tones: System32\DRIVERS\HSF_TONE.sys (autostart)
Manutenzione collegamenti distribuiti client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
V124: System32\DRIVERS\HSF_V124.sys (autostart)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Strumentazione gestione Windows: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Aggiornamenti automatici: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Zero Configuration reti senza fili: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
---------------------Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll---------------------
End of report, 10.253 bytes
Report generated in 0,461 secondsCommand line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
0
A friend is having a similar problem. The file keeps trying to access the internet, but he blocks it with his firewall. On his system it is in windows\system32.
I tried deleting it every way I could think of - in a DOS window, dir aux.* lists the file, but a DEL command reports the file does not exist. Tried various wildcards, but no luck. Norton detected it (not in my presence, unfortunately) changed the date of the file to the current date so it seems to have done something but the file is still there and active, even in Safe Mode.
I'll be watching for more info. This is the only mention of this I've been able to find in all the search engines!
Thanks for the info so far.
Couch
0
It can be turned off by using CTRL+ALT+delete, but that's only a temporary measure until someone finds out how to delete it (short of formatting the drive!)
0
CRACKED IT!
Apparently "Aux" is a reseved filename in Windows XP so normal delete/rename operations cannot take place.Full info on dealing with it is at http://support.microsoft.com/?kbid=315226
0
Thank you, thank you, o guru of knowlege base searches.
I did any number of searches in there but did not come up with this article. As always, you have to get just the right keywords or else!
My friends computer is now free of aux.exe.
0
Ok, maybe you're free of that, but I noticed the file
O4 - HKLM\..\Run: [SystemTray] SysTrày.exe
which seemed a little strange. So I googled and found only 2 references to it and both were not good.
http://www.megasecurity.org/trojans/l/lamers_death/Mini_ld1.1.html
check for SysTrày.exe and if it's 33.54Kb, you have a vistor.
0
Sorry, if you don't know how to make the à then copy that one or copy the filename from the previous post.
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
