Win32:Patched-AKC [Trj]

Hi!

Avast detected the Patched-AKC trojan on one of my computers.
However the infected file is services.exe so it can’t be removed or quaratined.

Anyone know how to get rid of this virus?

BR
Peter

This needs further analysis by a malware removal specialist:
Go to this topic http://forum.avast.com/index.php?topic=53253.0 for information on Logs to assist in cleaning malware. Use the information about getting and using the tools and attach the logs here, not in the LOGS topic.

Thanks! Here is the OTL-log.

The Extras-log.

There are some other logs required, MalwareBytes AntiMalware (MBAM) and aswMBR that should be enough to give the malware removal specialist more detailed information to work with.

I know, just having a problem with the computer BSOD’ing when running aswMBR.
Here’s a partial log from that utility, will try to attach the complete one.

OK, there is probably enough in that aswMBR to start with.

A malware removal specialist has been informed of your topic.

Here’s the MBAM log. However it’s in Swedish, and it says that the threats were removed (according to Avast it wasn’t)

Hi I will kill and repair as much as possible in this first run

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL
O3 - HKU\S-1-5-21-2307098199-1139776355-4259011491-1001\..\Toolbar\WebBrowser: (no name) - {EBD898F8-FCF6-4694-BC3B-EABC7271EEB1} - No CLSID value found.
O4 - HKU\S-1-5-21-2307098199-1139776355-4259011491-1001..\Run: [Vidalia] "C:\Program Files (x86)\Vidalia Bundle\Vidalia\vidalia.exe" File not found
Alternate Data Stream - 1286 bytes -> C:\Users\Peter\AppData\Local\Vg71hDCB5pqKiz:ekXueeLJpzW1xiQ0QyxBwEsiEWu
@Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:430C6D84
@Alternate Data Stream - 1217 bytes -> C:\ProgramData\Microsoft:EiOgusr0gzg5Ec8Mk4Uo92
@Alternate Data Stream - 1182 bytes -> C:\ProgramData\Microsoft:7TJB5mLBvdceyXITVEVRA8k
@Alternate Data Stream - 1075 bytes -> C:\Program Files\Common Files\Microsoft SharedalVJD54k56MNxW6gt
@Alternate Data Stream - 1058 bytes -> C:\ProgramData\Microsoft:3hxRsNOmQLRxvW9oTXiZm58PkwmCP6

:Reg
[HKEY_CLASSES_ROOT\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32] 
""="%systemroot%\system32\wbem\wbemess.dll" 
[-HKCU\Software\Classes\clsid\{12d0253a-7c96-815c-11e0-3034bbd97cc0}] 

:Files
C:\Windows\Installer\{1b6e57e4-26ea-a2bc-7202-1f57da87f8cc}
C:\Users\Peter\AppData\Local\{1b6e57e4-26ea-a2bc-7202-1f57da87f8cc}
C:\Program Files (x86)\Vidalia Bundle
ipconfig /flushdns /c
netsh int ip reset c:\resetlog.txt  /c
ipconfig /release /c
ipconfig /renew /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

[*] Download RogueKiller and save it on your desktop.

NOTE: If using IE8 or better Smartscreen Filter will need to be disabled

[*]Quit all programs
[*] Start RogueKiller.exe.
[*] Wait until Prescan has finished …
[*] Click on Scan

https://dl.dropbox.com/u/73555776/RKScan.GIF

[*]Wait for the end of the scan.
[*] The report has been created on the desktop.
[*] Click on the Delete button.

https://dl.dropbox.com/u/73555776/RKDelete.GIF

[*]The report has been created on the desktop.

[*]Next click on the ShortcutsFix

https://dl.dropbox.com/u/73555776/RKFixShortcuts.GIF

[*]The report has been created on the desktop.

Please post: All RKreport.txt text files located on your desktop.

FINALLY

Download the zip file from the link below
https://dl.dropbox.com/u/73555776/Trailsmoke.zip
Extract the Seven reg files to your desktop
Double click each in turn and allow to merge
Reboot the computer

Hi!

The OTL stopped responding after running for a while, but I rebooted the computer, ran the Roguekiller and the regfiles as well and the trojan seems to be gone. At least the popups from Avast has stopped, and it doesn’t find it anymore when rescanning the disk.

However the SharedAccess.reg wouldn’t run. I got an errormessage (in Swedish) stating that it could not access the registry.
The other registryfiles ran without problems.

Anyway, the trojan seems to be gone, so thats really good news, thanks :slight_smile:

Could you attach the RogueKiller logs please so that I can ensure it has gone

Also is windows updates working

Here is the RK logfile.

Windows update seems to be working, however I cannot change or even access the windows firewall settings.
Just throwing error “Windows firewall cannot change some of your settings, error 0x8007042c” (error message translated from Swedish).

Start an elevated command prompt:
Go Start > All Programs > Accessories
Right click command prompt and select Run as Administrator

Run now the following command lines pressing enter after each :

netsh advfirewall reset
net start mpsdrv
net start bfe
net start mpssvc
regsvr32 firewallapi.dll

Then retry please

Unfortuneatly this didn’t didn’t work.
The netsh command didn’t work since the Windows Firewall isn’t running.

I can’t start that one since the dependencies aren’t running. When trying to start the Base Filtering Engine (bfe) I get “acces denied” error code 5. (And yes, I’m trying to start it from an elevated command prompt).

Both the Firewall and the bfe are set to run with the Local Service account. Maybe it lost it’s privelegies somehow?

OK lets try a different route

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Ok, unfortuneatly that didn’t seem to work that well.
The combofix tool seemed to run as intended, computer was rebooted and a log created.

However, now I’m no longer able to connect to the internet at all.
The network is now shown as undefined network and it doesn’t get an IP-adress from the ISP, just the win-internal 169.x.x.x adress…

My other computers run fine.
Here is the combofix log.

When trying to run ipconfig /renew I get this message:

The support for the specified socket type does not exist in this address family."

It seems like my winsock might have been corrupted.
When running msinfo32 and looking under network->protocols there is nothing there.

netsh winsock reset catalog just throws access denied even when running it from an elevated cmd.

OK Combofix created a restore point, go back to that as it did not remove anything of note
Let me know how that goes

No, Combofix said it created a restorepoint.
However Windows says there are no restorepoints to go back to.

I’m reinstalling Windows on that computer instead, it seems pretty messed up.
Thanks anyway!