Removal of Malware - Trojan Crypt.AQLW?

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by callisti, Mar 6, 2012.

  1. callisti

    callisti Private E-2

    Here goes...

    The PC (Windows XP [32-bit] SP3) I'm working on has been infected with a trojan - the internet connection settings have changed and it won't connect automatically as it did before. When I attempted manual connecting (Enabling Wifi) and opened a browser they would redirect after homepage to various spumy sites.

    AVG on startup picked up a threat and and I quarantined it, I then ran SAS, MBAM and AVG both in normal boot Windows XP (where some rootkit infections seemed to be picked up to be dealt with on reboot) and then when AVG picked up infection again after reboot, did all three scans again in Safe Mode.

    On next start up AVG found same issue so I came did some online searches about Trojan AQLW and came here!

    - - - - -

    I've tried to go through the list of preparatory clean ups and downloaded as many of the tools as I can.

    Note: CCleaner on each reboot would find temporary internet files to clean even though no obvious internet connection

    - - - - -

    1. Ran SAS again - saved log file but no infections found.

    Log file attached -


    2. Ran MBAM again - saved log file but no infections found.

    Log file attached -


    3. Installed ComboFix to desktop - tried to disable AVG2012 as per bleepingcomputer but combofix still detected it, so removed AVG using AVG removal tool as advised on your guide.

    Was then able to run ComboFix - had to connect briefly to internet to allow recovery console to be downloaded and installed, then closed connection.

    ComboFix message - tcp/ip stack infected by rootkit - seemed to find, delete and fix some issues but hung for ages on blue "rebooting windows" screen.

    Forced to reboot manually after no activity for an hour.

    Restarted fine except that the keyboard stopped working so I couldn't enter profile password, so restarted in Safe Mode where ComboFix was preparing log report

    Log file attached -


    4. Ran RootRepeal from desktop in Safe Mode - scanned Files.

    Log file attached -


    5. Installed and ran MGTools from C:\

    Note: in Safe Mode still as keyboard had stopped working

    Log file attached to next post - MGlogs.zip

    - - - - -

    I need to quickly source a keyboard!

    contd...
     

    Attached Files:

  2. callisti

    callisti Private E-2

    contd...

    5. Installed and ran MGTools from C:\

    Note: in Safe Mode still as keyboard had stopped working

    Log file attached - MGlogs.zip
     

    Attached Files:

  3. thisisu

    thisisu Malware Consultant

    Hello and welcome to Major Geeks, callisti!

    This is one of the newer variants of ZeroAccess. I need to gather a bit more information before we attempt a fix.

    [​IMG] Please download aswMBR to your desktop.
    • Double-click aswMBR.exe to run (Vista/7 right-click and select Run as Administrator)
    • Select No when asked "Would you like to download latest Avast! virus definitions?"
    • Click the [Scan] button.
    • On completion of the scan click [Save log], save it to your desktop and attach this log to your next message. (How to attach)

    [​IMG] Please download OTL by OldTimer.

    • Save it to your desktop.
    • Double click on the OTL icon on your desktop. (Vista/7 right-click and select Run as Administrator)
    • Check the "Scan All Users" checkbox.
    • Check the "Standard Output".
    • Change the setting of "Drivers" and "Services" to "All"
    • Copy the text in the code box below and paste it into the [​IMG] text-field.
      Code:
      msconfig
      safebootminimal
      activex
      drivers32
      netsvcs
      /md5start
      afd.sys
      i8042prt.sys
      ipsec.sys
      netbt.sys
      pacsptisvr.dll
      pcx1nd5.dll
      rtfknph8.exe
      svchost.exe
      tcpip.sys
      /md5stop
      %windir%\system32\drivers\*.sys /lockedfiles
      %windir%\*.* /mp
      %windir%\*.* /rp
      %windir%\*.* /sl
      %systemdrive%\mgtools\*.*
      
    • Now click the [​IMG] button.
    • Two reports will be created:
      • OTL.txt <-- Will be opened
      • Extra.txt <-- Will be minimized
    • Attach OTL.txt to your next message. (How to attach)
     
    Last edited: Mar 6, 2012
  4. callisti

    callisti Private E-2

    Hello thisisu and thank you for taking this on.

    I've downloaded aswMBR and OTL from the links you supplied and have run the scans from desktop of troubled machine. (Normal boot up now - can enter windows password with new usb keyboard)

    For information - the troubled PC is not connected to the internet (have removed wifi dongle) and AVG was removed to run ComboFix so am transferring files across to and from PC desktop via usb memory stick to macbook which has internet connection.

    The 2 log files should be attached.
     

    Attached Files:

    Last edited: Mar 7, 2012
  5. thisisu

    thisisu Malware Consultant

    [​IMG] Fix items using OTL by OldTimer

    Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
    Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
    Copy the text in the code box below and paste it into the [​IMG] text-field.
    Code:
    [COLOR="DarkRed"]:otl[/COLOR]
    SRV - File not found [Auto | Stopped] --  -- (zfdwm)
    SRV - File not found [Auto | Stopped] --  -- (wtwservice)
    SRV - File not found [Auto | Stopped] --  -- (webrootenterpriseupdateservice)
    SRV - File not found [Auto | Stopped] --  -- (uleadburninghelper)
    SRV - File not found [Auto | Stopped] --  -- (tfsndrct)
    SRV - File not found [Auto | Stopped] --  -- (ser2plms)
    SRV - File not found [Auto | Stopped] --  -- (rppkt)
    SRV - File not found [Auto | Stopped] --  -- (radclock)
    SRV - File not found [Auto | Stopped] --  -- (NTIDrvr)
    SRV - File not found [Auto | Stopped] --  -- (nnsvc)
    SRV - File not found [Auto | Stopped] --  -- (M2500)
    SRV - File not found [Auto | Stopped] --  -- (iirsp)
    SRV - File not found [Auto | Stopped] --  -- (helpsvc)
    SRV - File not found [Auto | Stopped] --  -- (ccevtmgr)
    SRV - File not found [Auto | Stopped] --  -- (awhost32)
    SRV - File not found [Auto | Stopped] --  -- (avupdsvc)
    DRV - File not found [Kernel | On_Demand | Stopped] --  -- (WDICA)
    DRV - File not found [Kernel | Disabled | Stopped] --  -- (ViaIde)
    DRV - File not found [Kernel | Disabled | Stopped] --  -- (ultra)
    DRV - File not found [Kernel | Disabled | Stopped] --  -- (TosIde)
    DRV - File not found [Kernel | Disabled | Stopped] --  -- (symc8xx)
    DRV - File not found [Kernel | Disabled | Stopped] --  -- (symc810)
    DRV - File not found [Kernel | Disabled | Stopped] --  -- (sym_u3)
    DRV - File not found [Kernel | Disabled | Stopped] --  -- (sym_hi)
    DRV - File not found [Kernel | Disabled | Stopped] --  -- (Sparrow)
    DRV - File not found [Kernel | Disabled | Stopped] --  -- (Simbad)
    DRV - File not found [Kernel | Disabled | Stopped] --  -- (ql1280)
    DRV - File not found [Kernel | Disabled | Stopped] --  -- (ql1240)
    DRV - File not found [Kernel | Disabled | Stopped] --  -- (ql12160)
    DRV - File not found [Kernel | Disabled | Stopped] --  -- (Ql10wnt)
    DRV - File not found [Kernel | Disabled | Stopped] --  -- (ql1080)
    DRV - File not found [Kernel | Disabled | Stopped] --  -- (perc2hib)
    DRV - File not found [Kernel | Disabled | Stopped] --  -- (perc2)
    DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRFRAME)
    DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRELI)
    DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDFRAME)
    DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDCOMP)
    DRV - File not found [Kernel | System | Stopped] --  -- (PCIDump)
    DRV - File not found [Kernel | Disabled | Stopped] --  -- (mraid35x)
    DRV - File not found [Kernel | System | Stopped] --  -- (lbrtfdc)
    DRV - File not found [Kernel | Disabled | Stopped] --  -- (ini910u)
    DRV - File not found [Kernel | Disabled | Stopped] --  -- (i2omp)
    DRV - File not found [Kernel | System | Stopped] --  -- (i2omgmt)
    DRV - File not found [Kernel | Disabled | Stopped] --  -- (hpn)
    DRV - File not found [Kernel | Disabled | Stopped] --  -- (dpti2o)
    DRV - File not found [Kernel | Disabled | Stopped] --  -- (dac960nt)
    DRV - File not found [Kernel | Disabled | Unknown] --  -- (dac2w2k)
    DRV - File not found [Kernel | Disabled | Stopped] --  -- (Cpqarray)
    DRV - File not found [Kernel | Disabled | Stopped] --  -- (CmdIde)
    DRV - File not found [Kernel | System | Stopped] --  -- (Changer)
    DRV - File not found [Kernel | Disabled | Stopped] --  -- (cd20xrnt)
    DRV - File not found [Kernel | On_Demand | Stopped] --  -- (catchme)
    DRV - File not found [Kernel | Disabled | Stopped] --  -- (Atdisk)
    DRV - File not found [Kernel | On_Demand | Unknown] --  -- (aswMBR)
    DRV - File not found [Kernel | Disabled | Stopped] --  -- (asc3550)
    DRV - File not found [Kernel | Disabled | Stopped] --  -- (asc3350p)
    DRV - File not found [Kernel | Disabled | Stopped] --  -- (asc)
    DRV - File not found [Kernel | Disabled | Stopped] --  -- (amsint)
    DRV - File not found [Kernel | Disabled | Stopped] --  -- (AliIde)
    DRV - File not found [Kernel | Disabled | Stopped] --  -- (aic78xx)
    DRV - File not found [Kernel | Disabled | Stopped] --  -- (aic78u2)
    DRV - File not found [Kernel | Disabled | Stopped] --  -- (Aha154x)
    DRV - File not found [Kernel | Disabled | Stopped] --  -- (adpu160m)
    DRV - File not found [Kernel | Disabled | Stopped] --  -- (abp480n5)
    DRV - File not found [Kernel | Disabled | Stopped] --  -- (Abiosdsk)
    O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
    NetSvcs: radclock -  File not found
    NetSvcs: tfsndrct -  File not found
    NetSvcs: iirsp -  File not found
    NetSvcs: NTIDrvr -  File not found
    NetSvcs: webrootenterpriseupdateservice -  File not found
    NetSvcs: wtwservice -  File not found
    NetSvcs: rppkt -  File not found
    NetSvcs: wampmysqld -  File not found
    NetSvcs: SNMPTRAP -  File not found
    NetSvcs: ccevtmgr -  File not found
    NetSvcs: uleadburninghelper -  File not found
    NetSvcs: awhost32 -  File not found
    NetSvcs: avupdsvc -  File not found
    NetSvcs: zfdwm -  File not found
    NetSvcs: nnsvc -  File not found
    NetSvcs: M2500 -  File not found
    NetSvcs: ser2plms -  File not found
    [15 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    [2012/03/06 01:08:24 | 022,291,240 | ---- | M] () -- C:\SAS_998B98D5.COM
    [2012/03/05 12:14:56 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\emH77rYm.dat
    [2012/03/05 12:04:53 | 000,000,000 | -HS- | C] () -- C:\WINDOWS\System32\dds_trash_log.cmd
    [C:\WINDOWS\$NtUninstallKB59772$] -> Error: Cannot create file handle -> Unknown point type
    @Alternate Data Stream - 105 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
    [COLOR="DarkRed"]:files[/COLOR]
    C:\WINDOWS\system32\drivers\i8042prt.sys|C:\WINDOWS\ServicePackFiles\i386\i8042prt.sys /replace
    rd /s/q C:\WINDOWS\$NtUninstallKB59772$ /c
    ipconfig /flushdns /c
    C:\$Avg
    C:\Documents and Settings\Administrator\Local Settings\temp\MPC2.tmp
    [COLOR="DarkRed"]:reg[/COLOR]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Acrobat Assistant 7.0"=-
    "QuickTime Task"=-
    "iTunesHelper"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
    "{1E73965B-8B48-48be-9C8D-68B920ABC1C4}"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state]
    "startup"=dword:00000000
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
    [COLOR="DarkRed"]:commands[/COLOR]
    [emptytemp]
    [resethosts]
    
    Now click the [​IMG] button.
    If the fix needed a reboot please do it.
    Click the OK button (upon reboot).
    When OTL is finished, Notepad will open. Close Notepad.
    A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
    Attach this log to your next message. (How to attach)

    Let me know if this fix restored your PS/2 keyboard and mouse.
    _________________

    Now attempt to fix internet:

    Tcp/ip stack is completely dead.

    Here are the steps to resolve this:

    I would like you try the below.

    Click Start, and then click Run.
    In the Open box, type regedit, and then click OK.
    In Registry Editor, locate the following keys, right-click each key, and then click Delete:
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock2
    When you are prompted to confirm the deletion, click Yes.
    Close the Registry Editor.

    Locate the Nettcpip.inf file in C:\WINDOWS\inf and then open the file in Notepad.
    Locate the [MS_TCPIP.PrimaryInstall] section. Change the Characteristics = 0xA0 entry by replacing 0xA0 with 0x80. Save the file. Exit Notepad.
    In Control Panel, double-click Network Connections, right-click Local Area Connection, and then select Properties.
    On the General tab, click Install, select Protocol, and then click Add.
    In the Select Network Protocols window, click Have Disk.
    In the Copy manufacturer's files from text box, type C:\WINDOWS\inf, and then click OK.
    Select Internet Protocol (TCP/IP), and then click OK. It will report as unsigned, this is the one we want! Do not choose Microsoft TCP/IP v6!

    Note This step returns you to the Local Area Connection Properties screen. However, the Uninstall button is now available.
    Select Internet Protocol (TCP/IP), click Uninstall, and then click Yes.
    You will be asked to reboot your PC for the changes to take affect, go ahead and do this now.

    Once you have rebooted...
    In Control Panel, double-click Network Connections, right-click Local Area Connection, and then select Properties.
    On the General tab, click Install, select Protocol, and then click Add.
    In the Select Network Protocols window, click Have Disk.
    In the Copy Manufacturer's files from text box, type C:\WINDOWS\inf, and then click OK.
    Select Internet Protocol (TCP/IP), and then click OK.
    Restart your computer.
    Test your Internet connectivity.

    ____


    [​IMG] Now run C:\MGtools\GetLogs.bat by double-clicking it.
    This updates all of the logs inside MGlogs.zip.
    When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

    Let me know how the system is running after you have completed these steps.
     
  6. callisti

    callisti Private E-2

    Hello thisisu, and thank you for your instruction.

    I pasted the text you supplied into OTL and ran the fix.

    On restart the PS/2 keyboard is working again, thank you.

    The log file is attached.

    - - - - -

    I was able to follow your guidance for re-establishing internet connection and it seems to work.

    I feel a bit cautious as there is still no active antivirus or realtime anti-malware running at this time, and didn't want to use any browsers unless instructed, so instead checked for latest spywareblaster updates and noticed windows update notification for updates being downloaded, before disconnecting from internet.

    - - - - -

    I ran the update to MGtools and refreshed log file zip is attached also.

    The system appears ok. I'd unplugged a usb backup drive since this infection came to light - I don't know whether or not it's safe plug it in in case it undoes any progress with removing the infection on PC's c drive, as I don't understand the nature of the infection.
     

    Attached Files:

  7. thisisu

    thisisu Malware Consultant

    :cool

    This type of infection does not target flash drives. Unless you have a completely different infection on the flash drive as opposed to what was on your PC, I think it is safe to plug the device in again.

    ___

    [​IMG] Please download Disable/Remove Windows Messenger to your desktop.
    • Double-click MessengerDisable.exe to run it.
    • Place checkmarks in "Uninstall Windows Messenger" and "Hide Messenger from Outlook Express"
    • Click Apply
    • Click Exit

    Your latest logs are clean :cool

    __

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis if it present
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work through the below link:
    Be safe :)
     
  8. callisti

    callisti Private E-2

    Hello thisisu, thanks for confirming my logs are clean. I've uninstalled windows messenger using the download link you provided and I've gone through the recommended cleanup process as best I can. I have also installed a new copy of AVG Free from a standalone installer so that there is some realtime antivirus protection.

    I will also acquire realtime protection using either MBAM or SAS - not sure which yet, although will keep both available for retrospective scanning.

    Browsers all seem to be behaving and internet connection is fine just now. I'll leave it for a few days of normal usage to see if anything crops up before toggling the system restore, as advised on MajorGeeks cleaning procedure thread, just in case.

    Thank you for your reassurance regarding flash drives.

    If all goes well I will post again in a few days to confirm that the system is still clean and that I've toggled system restore.
     
  9. thisisu

    thisisu Malware Consultant

    No problem. We'll be here ;)
     
  10. callisti

    callisti Private E-2

    Thisisu, everything has been behaving for a few days so have toggled and re-enabled system restore. Thanks again for your methodical approach.

    Is there a way I can help support majorgeeks beyond like-ing on facebook and clicking on ads? like donating credit for coffee somehow?
     
  11. thisisu

    thisisu Malware Consultant

    Hello callisti,

    You're welcome.

    We do not accept donations but would appreciate if you would tell others about MajorGeeks.

    Surf safely! :)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds