AVG threat alerts for IDP.Trojan.1C8D1A13 & Crypt.AQLW

Solved
By mwaugh29
May 3, 2012
  1. mwaugh29

    mwaugh29 Newcomer, in training Topic Starter Posts: 36

    Broni,

    Here is the ESET Scan result:

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP710\A0063361.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP710\A0063450.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP710\A0063457.dll Win32/Sirefef.ER trojan cleaned by deleting - quarantined
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP710\A0063458.dll Win32/Sirefef.ER trojan cleaned by deleting - quarantined
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP710\A0063460.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP710\A0063526.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP710\A0063582.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
    C:\WINDOWS\INF\alchem.inf probably a variant of Win32/Agent.GESWFOG trojan cleaned by deleting - quarantined
    Best,
    Matt
  2. Broni

    Broni Malware Annihilator Posts: 46,433   +252

    Make sure you reinstall AVG as soon as possible.

    Uninstall:
    Java(TM) SE Runtime Environment 6 Update 1
    Java(TM) 6 Update 2
    Java 2 Runtime Environment, SE v1.4.2

    Update Adobe Flash Player
    Download the Latest Adobe Flash for Firefox and IE Without Any Extras: http://www.404techsupport.com/2010/...-flash-for-firefox-and-ie-without-any-extras/

    Then we have one registry key missing which affects your Security Center function.

    Following steps involve registry editing. Please create new restore point before proceeding!!!
    How to:
    XP - http://support.microsoft.com/kb/948247
    Vista and Seven - http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/


    Please go to Start=>Run (alternatively use Windows key+R), type regedit and click OK.
    Registry Editor will open.
    Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root
    Right-Click Root and select Permissions...
    Under Security type while Everyone is selected put a check mark in the box under Allow next to Full Control.
    Click Apply and OK.
    Download XP.zip file from here: http://www.smartestcomputing.us.com/files/download/9-registry-network-keys/
    Unzip downloaded file.
    You'll find several files inside.
    Double-click legacy_wscsvc.reg and confirm the prompt.
    Please go back to the the Root key again while Everyone is selected remove check mark in the box under Allow next to Full Control and close the registry.
    Restart computer.
    Post new FSS log.
  3. mwaugh29

    mwaugh29 Newcomer, in training Topic Starter Posts: 36

    Hi Broni!

    After uninstalling Java(TM) SE Runtime Environment 6 Update 1 and Java(TM) 6 Update 2 successfully, I get the following message when attempting to uninstall Java 2 Runtime Environment, SE v1.4.2:

    "The feature you are trying to use is on a network resource that is unavailable." Click OK to try again, or enter an alternate path to a folder containing the installation package 'Java 2 Runtime Environment, SE v1.4.2' in the box below:

    Does this Java feature need to be removed before performing the other steps in the sequence?

    Thanks,
    Matt
  4. Broni

    Broni Malware Annihilator Posts: 46,433   +252

    That's fine. Go on....
  5. mwaugh29

    mwaugh29 Newcomer, in training Topic Starter Posts: 36

    Broni,

    Please disregard previous message. I searched for the source file, located it, and entered the path in the provided box to remove the Java 2 Runtime Environment, SE v1.4.2 file. It has been uninstalled.

    I had re-installed AVG prior to Java features removal and I am proceeding with updating Adobe Flash Player.

    Best,
    Matt
  6. mwaugh29

    mwaugh29 Newcomer, in training Topic Starter Posts: 36

    Here is the new FSS scan report:

    Farbar Service Scanner Version: 30-04-2012 01
    Ran by Matthew (administrator) on 06-05-2012 at 16:48:20
    Running from "C:\Documents and Settings\Matthew\Desktop"
    Microsoft Windows XP Home Edition Service Pack 3 (X86)
    Boot Mode: Normal
    ****************************************************************
    Internet Services:
    ============
    Dhcp Service is not running. Checking service configuration:
    The start type of Dhcp service is OK.
    The ImagePath of Dhcp service is OK.
    The ServiceDll of Dhcp service is OK.

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Yahoo IP is accessible.

    Windows Firewall:
    =============
    sharedaccess Service is not running. Checking service configuration:
    The start type of sharedaccess service is OK.
    The ImagePath of sharedaccess service is OK.
    The ServiceDll of sharedaccess service is OK.
    netman Service is not running. Checking service configuration:
    The start type of netman service is OK.
    The ImagePath of netman service is OK.
    The ServiceDll of netman service is OK.

    Firewall Disabled Policy:
    ==================

    System Restore:
    ============
    Srservice Service is not running. Checking service configuration:
    The start type of Srservice service is OK.
    The ImagePath of Srservice service is OK.
    The ServiceDll of Srservice service is OK.

    System Restore Disabled Policy:
    ========================

    Security Center:
    ============
    wscsvc Service is not running. Checking service configuration:
    The start type of wscsvc service is OK.
    The ImagePath of wscsvc service is OK.
    The ServiceDll of wscsvc service is OK.

    Windows Update:
    ============
    wuauserv Service is not running. Checking service configuration:
    The start type of wuauserv service is OK.
    The ImagePath of wuauserv service is OK.
    The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuauserv.dll".
    cryptsvc Service is not running. Checking service configuration:
    The start type of cryptsvc service is OK.
    The ImagePath of cryptsvc service is OK.
    The ServiceDll of cryptsvc service is OK.

    Windows Autoupdate Disabled Policy:
    ============================

    File Check:
    ========
    C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
    C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
    C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
    C:\WINDOWS\system32\netman.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\srsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
    C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
    C:\WINDOWS\system32\qmgr.dll => MD5 is legit
    C:\WINDOWS\system32\es.dll => MD5 is legit
    C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
    C:\WINDOWS\system32\svchost.exe => MD5 is legit
    C:\WINDOWS\system32\rpcss.dll => MD5 is legit
    C:\WINDOWS\system32\services.exe => MD5 is legit
    Extra List:
    =======
    Avgtdix(15) DNE(14) Gpc(6) IPSec(4) IPSECSHM(9) NetBT(5) PSched(7) Tcpip(3) WSIMD(13)
    0x0F000000040000000100000002000000030000000C000000060000000700000008000000090000000A0000000B0000000F000000050000000D0000000E000000
    IpSec Tag value is correct.
    **** End of log ****

    Best,
    Matt
  7. Broni

    Broni Malware Annihilator Posts: 46,433   +252

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [emptyjava]
    [CLEARALLRESTOREPOINTS]
    [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC) weekly.

    8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    10. (Windows XP only) Run defrag at your convenience.

    11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

    12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    13. Please, let me know, how your computer is doing.
  8. mwaugh29

    mwaugh29 Newcomer, in training Topic Starter Posts: 36

    Broni,

    After running script in OTL and restart, I do not find the log created (once again). Also, my taskbar has a Windows Classic look to it (this comes and goes). Additionally, after the TMP files had disappeared for a while, they are now back again.

    Proceed with cleanup?

    Thanks,
    Matt
  9. Lost Cause

    Lost Cause Newcomer, in training

    [Post removed by Broni]
  10. mwaugh29

    mwaugh29 Newcomer, in training Topic Starter Posts: 36

    Lost Cause,

    I have restored internet connection, but at times (> 1 hour), I need to reboot in order to re-connect. I'm not sure what the issue is there.

    Broni,
    Is the WinSockXPFix something worth trying after cleanup is finished?

    Best,
    Matt
  11. Broni

    Broni Malware Annihilator Posts: 46,433   +252

    Make sure you reset your restore points.
    Turn system restore off.
    Restart computer.
    Turn system restore on.
    Then proceed with cleanup.

    Temporary files are created all the time, so you have to run TFC weekly.

    I'd think some hardware is dying. Modem, router, network card....
     
  12. mwaugh29

    mwaugh29 Newcomer, in training Topic Starter Posts: 36

    Broni,

    When attempting to repair internet connection through the wireless network, the problem comes when registering DNS.
    As far as the modem or router is concerned, these devices are working properly with the laptop computer (no disconnect after ~1 hour). So should I look into updating the driver for the network card?

    Best,
    Matt
  13. Broni

    Broni Malware Annihilator Posts: 46,433   +252

    You can definitely try to reinstall the driver (better than trying to update it).
    Is this laptop or desktop?
  14. mwaugh29

    mwaugh29 Newcomer, in training Topic Starter Posts: 36

    Is this laptop or desktop?

    Network card in question is in the desktop. Card was pre-installed on the laptop.

    The taskbar continues to toggle between Windows Classic look and my custom taskbar. Any ideas why?

    Best,
    Matt
  15. Broni

    Broni Malware Annihilator Posts: 46,433   +252

    Start withe reinstalling the driver.
    If that doesn't help I'd get a new card - 15 bucks or so.

    It toggles while you use the computer, on restart or....?


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.