Nasty Trojan 1c8d1a13 and crypt.aqlw

Obviously, I have a problem. I have an Acer Aspire One netbook with XP, and awhile ago AVG started to repeatedly locate two viruses, IDP.Trojan.1C8D1A13 and Trojan Horse Crypt.AQLW are the identifications they were given. For some time I had AVG quarantine or delete the files it was finding. A search of the internet found some similar problems in your forums, so I started following a procedure that I found referenced in several threads. When I got to the Combofix portion of the procedure it reported that there was still an active AVG protection even though I had uninstalled AVG via the add/remove function, so I stopped it at this point. Later I found that, while the computer seemed to work (other than some instability on startup where it might try restarting two or three times before "getting there") it would no longer connect to the internet via either the wireless, Ethernet cable, or using a link to my phone via USB called PDAnet.
Today I began following your "read and run first" procedure as best I could using a flash drive to transfer software from the computer I'm typing on now. Everything went fine, finding no significant problems, until I got to Combofix. Even though I had run the AVG_remover tool you provide, Combofix was still finding some active AVG protection. I ignored this with no immediate problem. Combofix then reported "Root Kit Zero Access" and after some time had to reboot. After this the scanning began. I came back later and found the windows explorer missing... background is still there, cursor still works, and the drive light comes on briefly every few minutes.

It's been like this for about three hours so far and I don't want to touch it, so I thought it would be a good time to post my problem to the experts. I plan to leave it alone overnight and see what happens...

 

Hi and welcome to Major Geeks, jeepwhisperer!

As long as the ComboFix window is open, even if explorer is closed, you should leave it alone. It will probably be finished if you left it running overnight.

Not sure if you have another AV installed or not, but this is what usually causes ComboFix to hang on reboots.

Also, do not worry about ComboFix detecting AVG, it's detecting an old entry in WMI which we can remove later.

 

Well, it's morning and nothing has changed...

 

Skip ComboFix for now. Go to the next step.

If ComboFix window never came up, try pressing Ctrl+Alt+Esc to open the Task Manager and File -> Open/Run -> explorer
If that doesn't work, force restart the computer and continue to next step

If ComboFix window is open and isn't progressing, click the X on the ComboFix screen which should close out ComboFix. Try opening Task Manager to proceed first, if that does not work, force restart the computer and continue to next step.

 

Ok, I manually restarted explorer and there was no sign of ComboFix so I continued with the last two steps of the "read and run first" procedure without a hitch. Since I have no Virus software installed I can't say if I'm cured, but it is closer to being able to network... before it would not even recognize networks... it didn't see my wireless network at all, but now it sees and connects but gives the "limited or no connectivity" error, and when I try to repair it is says it cannot renew the IP address.

Even if I'm still infected, getting back on the internet would make the troubleshooting process much easier!

 

Please attach the logs you were able to obtain

 

Here are three log files I was able to find. There might be others but I don't know where they are.

I tried running one of the "repair" functions in Super anti-spyware... the one to fix the network connection that is mentioned on one of your procedures. Didn't help...

 

here's another one...

 

Thanks, I'll be able to review these later this evening.

 

From Add/Remove Programs (via Control Panel), please uninstall the below:

• Ad-Aware
• Java(TM) 6 Update 20
• Spybot - Search & Destroy
• StartNow Toolbar

__

I want you to read and follow these instructions: TDSSKiller - How to run

Please download aswMBR to your desktop.

• Double-click aswMBR.exe to run (Vista/7 right-click and select Run as Administrator)
• Select No when asked "Would you like to download latest Avast! virus definitions?"
• Click the [Scan] button.
• On completion of the scan click [Save log], save it to your desktop and attach this log to your next message. (How to attach)

Please download OTL by OldTimer.

• Save it to your desktop.
• Double click on the OTL icon on your desktop.
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the text-field.
  
  Code:

  activex
  netsvcs
  /md5start
  afd.sys
  i8042prt.sys
  ipsec.sys
  netbt.sys
  svchost.exe
  tcpip.sys
  /md5stop
  %windir%\$NtUninstallKB11381$\*.*
  %windir%\system32\drivers\*.sys /lockedfiles
  %windir%\*.* /mp
  %windir%\*.* /rp
  %windir%\*.* /sl
  

• Now click the button.
• One report will be created:
  • OTL.txt <-- Will be opened
• Attach OTL.txt to your next message. (How to attach)

 

Here you go. The only slight hitch was the StartNow toolbar. When I tried to uninstall it it said that it must have already been uninstalled and asked if I wanted to remove it from the add/remove menu... I clicked yes...

 

From Add/Remove Programs (via Control Panel), please uninstall the below:

• Vuze Remote Toolbar

I would prefer if you ran this fix while in Safe Mode for the highest chance of success.
See: How to start your computer in Safe mode

Attached is OTLfix.txt
Download and save this to your desktop of the infected computer.


Now reopen OTL
Then drag OTLfix.txt into the text-field.
You should see a bunch of text transferred over into the text-field.
Now click the button.
The fix will require a reboot. Allow it to reboot into Normal Mode.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

__

Test your internet after the reboot but complete the below step regardless and let me know what problems remain.

Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

Internet works! I'm sending this from the "patient" computer! Am I cured? I'll need to use the computer for a bit to see if anything funny is still happening, such as browser redirects, high CPU usage, etc.

It was AVG that discovered the virus initially, and I don't have any protection right now. I was thinking of switching to Avast... opinion? Should I wait awhile before installing a virus program?

 

Great
These logs look good but I would like to see an updated MBAM and TDSSKiller log. Please do this now. Make sure to update MBAM before scanning. Then attach both new logs.

Hold off on installing/removing programs until we are all finished.

 

here they are...

 

Very good
__

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

Be safe

By the way, Avast is a pretty good AV, in my opinion.

 

ComboFix is on the root directory, c:

 

Move it to the desktop.

 

It's been a day, and I've installed all the recommended protection, and so far it looks like I'm cured! I can't thank you enough! Are you guys just member/volunteers that like a challenge... I assume you're not paid or anything. Either way, bless you for the service you provide! If you need any help related to automotive problems, electrical systems, or especially jeeps, offroading, or land-use issues, let me know. I owe you one.

Joe Sand

 

You're welcome, Joe.
Yes we are all volunteers, and thanks for the offer on the automotive help