Solved AVG threat alerts for IDP.Trojan.1C8D1A13 & Crypt.AQLW

Broni,

Here is the ESET Scan result:

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP710\A0063361.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP710\A0063450.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP710\A0063457.dll Win32/Sirefef.ER trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP710\A0063458.dll Win32/Sirefef.ER trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP710\A0063460.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP710\A0063526.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP710\A0063582.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\WINDOWS\INF\alchem.inf probably a variant of Win32/Agent.GESWFOG trojan cleaned by deleting - quarantined
Best,
Matt
 
Make sure you reinstall AVG as soon as possible.

Uninstall:
Java(TM) SE Runtime Environment 6 Update 1
Java(TM) 6 Update 2
Java 2 Runtime Environment, SE v1.4.2

Update Adobe Flash Player
Download the Latest Adobe Flash for Firefox and IE Without Any Extras: http://www.404techsupport.com/2010/...-flash-for-firefox-and-ie-without-any-extras/

Then we have one registry key missing which affects your Security Center function.

Following steps involve registry editing. Please create new restore point before proceeding!!!
How to:
XP - http://support.microsoft.com/kb/948247
Vista and Seven - http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/


Please go to Start=>Run (alternatively use Windows key+R), type regedit and click OK.
Registry Editor will open.
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root
Right-Click Root and select Permissions...
Under Security type while Everyone is selected put a check mark in the box under Allow next to Full Control.
Click Apply and OK.
Download XP.zip file from here: http://www.smartestcomputing.us.com/files/download/9-registry-network-keys/
Unzip downloaded file.
You'll find several files inside.
Double-click legacy_wscsvc.reg and confirm the prompt.
Please go back to the the Root key again while Everyone is selected remove check mark in the box under Allow next to Full Control and close the registry.
Restart computer.
Post new FSS log.
 
Hi Broni!

After uninstalling Java(TM) SE Runtime Environment 6 Update 1 and Java(TM) 6 Update 2 successfully, I get the following message when attempting to uninstall Java 2 Runtime Environment, SE v1.4.2:

"The feature you are trying to use is on a network resource that is unavailable." Click OK to try again, or enter an alternate path to a folder containing the installation package 'Java 2 Runtime Environment, SE v1.4.2' in the box below:

Does this Java feature need to be removed before performing the other steps in the sequence?

Thanks,
Matt
 
Broni,

Please disregard previous message. I searched for the source file, located it, and entered the path in the provided box to remove the Java 2 Runtime Environment, SE v1.4.2 file. It has been uninstalled.

I had re-installed AVG prior to Java features removal and I am proceeding with updating Adobe Flash Player.

Best,
Matt
 
Here is the new FSS scan report:

Farbar Service Scanner Version: 30-04-2012 01
Ran by Matthew (administrator) on 06-05-2012 at 16:48:20
Running from "C:\Documents and Settings\Matthew\Desktop"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.

Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is OK.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.
netman Service is not running. Checking service configuration:
The start type of netman service is OK.
The ImagePath of netman service is OK.
The ServiceDll of netman service is OK.

Firewall Disabled Policy:
==================

System Restore:
============
Srservice Service is not running. Checking service configuration:
The start type of Srservice service is OK.
The ImagePath of Srservice service is OK.
The ServiceDll of Srservice service is OK.

System Restore Disabled Policy:
========================

Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.

Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuauserv.dll".
cryptsvc Service is not running. Checking service configuration:
The start type of cryptsvc service is OK.
The ImagePath of cryptsvc service is OK.
The ServiceDll of cryptsvc service is OK.

Windows Autoupdate Disabled Policy:
============================

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit
Extra List:
=======
Avgtdix(15) DNE(14) Gpc(6) IPSec(4) IPSECSHM(9) NetBT(5) PSched(7) Tcpip(3) WSIMD(13)
0x0F000000040000000100000002000000030000000C000000060000000700000008000000090000000A0000000B0000000F000000050000000D0000000E000000
IpSec Tag value is correct.
**** End of log ****

Best,
Matt
 
Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following:

Code:
:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[emptyjava]
[CLEARALLRESTOREPOINTS]
[Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

  • Double-click OTL.exe to start the program.
  • Close all other programs apart from OTL as this step will require a reboot
  • On the OTL main screen, press the CLEANUP button
  • Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. (Windows XP only) Run defrag at your convenience.

11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

13. Please, let me know, how your computer is doing.
 
Broni,

After running script in OTL and restart, I do not find the log created (once again). Also, my taskbar has a Windows Classic look to it (this comes and goes). Additionally, after the TMP files had disappeared for a while, they are now back again.

Proceed with cleanup?

Thanks,
Matt
 
Lost Cause,

I have restored internet connection, but at times (> 1 hour), I need to reboot in order to re-connect. I'm not sure what the issue is there.

Broni,
Is the WinSockXPFix something worth trying after cleanup is finished?

Best,
Matt
 
Proceed with cleanup?
Make sure you reset your restore points.
Turn system restore off.
Restart computer.
Turn system restore on.
Then proceed with cleanup.

Temporary files are created all the time, so you have to run TFC weekly.

I have restored internet connection, but at times (> 1 hour), I need to reboot in order to re-connect.
I'd think some hardware is dying. Modem, router, network card....
 
Broni,

When attempting to repair internet connection through the wireless network, the problem comes when registering DNS.
As far as the modem or router is concerned, these devices are working properly with the laptop computer (no disconnect after ~1 hour). So should I look into updating the driver for the network card?

Best,
Matt
 
should I look into updating the driver for the network card?
You can definitely try to reinstall the driver (better than trying to update it).
Is this laptop or desktop?
 
Is this laptop or desktop?

Network card in question is in the desktop. Card was pre-installed on the laptop.

The taskbar continues to toggle between Windows Classic look and my custom taskbar. Any ideas why?

Best,
Matt
 
Network card in question is in the desktop.
Start withe reinstalling the driver.
If that doesn't help I'd get a new card - 15 bucks or so.

The taskbar continues to toggle between Windows Classic look and my custom taskbar. Any ideas why?
It toggles while you use the computer, on restart or....?
 
Back