My Avast has detected Win32: Patched-AKC [Trj], with read only action available.

When booting my computer, after the log in screen, there is 1-2 minutes of black screen with only the mouse visible.
After this delay Windows comes on, though slowly and bit by bit. This began a couple of weeks ago, I believe it may have something to do with this trojan. Slow down is the only significant problem I have noticed.

I have read through other threads on this trojan, here are logs as per the guides posted.

Thanks for any help.

Last log attached here.

On completion of these runs could you let me know if the alerts cease

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:Files
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}
C:\Users\Jahoobano\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Thank you for the quick response, forgive me my delayed one.

I have followed the procedure, received the logs.

Unfortunately, I ran an Avast quick scan and it has still detected Win32: Patched-AKC [Trj] present in C:\Windows\System32\Services.exe

Aye Combofix will need to be told where the spare services file is

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

FCopy:: C:\Windows\SoftwareDistribution\Download\d15e0adcf011f7a00bde2023e8b74a00\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe|c:\windows\system32\Services.exe

Save this as CFScript.txt, in the same location as ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt which I will require in your next reply.

I did the combofix again with the script. I got the log and scanned with Avast and no alerts turned up.

I rebooted to see if the problem still existed and something much worse has now happened.

It will not boot at all, it will not make it to the log in screen, it just goes straight to the blackscreen with only the mouse visible. I have tried booting in safe mode and it stalls while loading the drivers in System 32.

Please help.

EDIT: the file that safe mode stalls after loading is \Windows\System32\Drivers\aswRvrt.sys

Could you reboot the computer to safe mode please

Reboot the computer, press and hold F8
On the menu that appears select Safe mode with Networking

Then attach the combofix log please

I tried booting in all three safe mode options, they all got stuck loading the drivers.

I then tried system recovery as I thought it would have a restore option, but in actuallity returns it to factory defaults.
I did not know this until a prompt came up that explained what I was doing.
I shut the computer off, though now whenever I boot it up it has a progress bar captioned “loading files” and it goes back to this same factory default prompt.

Is there any way to get my Windows back the way it was now that I pressed the system recovery option? I haven’t proceeded beyond the initial prompt that comes up explaining it will restore the factory default.
If I’ve gone too far to return Windows, is the data on my hard drive still intact?

I’ve tried holding F8, but it just creates a loud error noise that persists until I terminate the power.

win32:patched-akc [trj], win32downloader…, win32malware.gen and similar types of trojans are very deep-rooted infections esp. win32:patched-akc [trj]
It should be removed s early as possible, and yes it hides deep on system files explaining alot of users complaining cannot be moved, read only…
forceful attempts will cause system crash
Removal steps:
NOTE: these steps are for this win32patched-akc [trj]infections not to be applied for other if so it may render instability of system

Ctrl+alt+del {opens taskmanager}
under the processes tab
end the process “random.exe”

winlogo start button+R {open run}
Find and Delete

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run"[RANDOM]"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"[RANDOM].exe"

search & Delete the following files
%AllUsersProfile%\Application Data.dll
%AllUsersProfile%\Application Data.exe(random)

might opt for rebooting after that your computer should run fine

@Augustus that is totally pointless generic information and will achieve nothing

@apocaly you will need a USB drive for this. At what stage did it fail to boot ? I.e. after the combofix reboot ?

Download the following three programmes to your desktop :

1. WiNTBootIc
2. Windows Vista 64bit RC
3. Farbar Recovery Scan Tool x64

Run wintobootic
Insert a USB drive of at least 1GB
Run Wintoboot

http://dl.dropbox.com/u/73555776/wintoboot.JPG

Drag and drop the Windows Vista ISO to the programme in the space indicated
Tick the Format box and accept the warnings
Press Do It

You will see it progressing

http://dl.dropbox.com/u/73555776/usb%20progress.JPG

It will let you know when it is done
Then copy FRST to the same USB

http://dl.dropbox.com/u/73555776/frstwintoboot.JPG

Insert the USB into the sick computer and start the computer. First ensuring that the system is set to boot from USB
Note: If you are not sure how to do that follow the instructions Here

When you reboot you will see this.
Click repair my computer

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7275.jpg

Select your operating system

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277202.jpg

Select Command prompt

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277.jpg

At the command prompt type the following :

notepad and press Enter.
The notepad opens. Under File menu select Open.
Select “Computer” and find your flash drive letter and close the notepad.
In the command window type e:\frst64.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.

https://dl.dropbox.com/u/73555776/FRST%20Start%20scan.gif

Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

i would like the proof that it’s pointless

Where shall we start … What is a random file, how can you determine what is good or bad. There will still be further files related to the malware onboard . How does that replace the infected services.exe present on the system etc…

The computer failed to boot after I had run the Combofix and removed the virus. Combofix didn’t reboot the system, I did to see if it was still running slow, and that’s when I couldn’t run it in any form.

I am not at all confident now that I’ll be able to proceed without accidentally wiping my hard drive. Can you please outline what this Farbar recovery scan will do, and what you need it to tell you?

Also, I see a system restore option in the image you provided. Would I be able to restore the computer to before I initiated the second Combofix with this? This is what I was hoping would be there when I pressed System Recovery, instead it only had a factory default window. I realize system restore would return the computer to when it had the virus, but I’m willing to live with it on there, rather than be unable to boot my computer at all.

However, if your latest instructions could restore Windows and keep the hard drive intact, can you please outline how?

Farbar will give me a list of all processes and drivers that are to begin at a normal boot, it will also check that all main system files are legitimate and check the MBR
It will make no changes to the computer unless a fixlist is run

WiNToBootic gives me:

Drive formatted
Flashing failed

The USB drive is 2GB, and remains empty after the process.

Lets try a different burner

Download Rufus to the desktop

Insert the USB stick Then run Rufus

https://dl.dropbox.com/u/73555776/rufus.JPG

Select the ISO file on the desktop via the ISO icon.

Press Start Burn

https://dl.dropbox.com/u/73555776/RufusISO.JPG

Once the USB has burnt then add FRST to the USB and proceed as before

Is the volume label you highlighted important?

Mine switched to 2008.03.29_2201, not ReatogoPE.

Volume is not important, the screenshot is a generic one that I also use for XP systems

There is no repair your computer option when I boot the USB.

There is only an install Vista option with adjustable boxes for time, language, etc. and a next button to move forward after that.

There should be as that is only the recovery console and not a full Vista set ISO

I have another way to enter the system

Download Peazip to the desktop
Run and install the programme
As it installs this page will show, deselect the AVG ticks
Press decline and it will then install cleanly

https://dl.dropbox.com/u/73555776/peazip.jpg

Download the following files to the desktop … Right click the links and select save as…then select desktop

Rufus

OTLPE_standard

Right click OTLPE on your desktop and select …Open as archive

https://dl.dropbox.com/u/73555776/Unzup%20archive.png

Select OTLPE standard

https://dl.dropbox.com/u/73555776/select%20archive.PNG

Click Extract, ensure that desktop is selected

https://dl.dropbox.com/u/73555776/extract%20archive.PNG

Insert the USB stick Then run Rufus

https://dl.dropbox.com/u/73555776/rufus.JPG

Select the ISO file on the desktop via the ISO icon.

Press Start Burn

https://dl.dropbox.com/u/73555776/RufusISO.JPG

Once the USB has burnt then
Boot from the USB

[*]Your system should now display a REATOGO-X-PE desktop.
[*]Double-click on the OTLPE icon.
[*]When asked “Do you wish to load the remote registry”, select Yes
[*]When asked “Do you wish to load remote user profile(s) for scanning”, select Yes
[*]Ensure the box “Automatically Load All Remaining Users” is checked and press OK
[*]OTL should now start.
[*]Press Run Scan to start the scan.
[*]When finished, the file will be saved in drive C:\OTL.txt
[*]Copy this file to your USB drive if you do not have internet connection on this system
[*]Please post the contents of the C:\OTL.txt file in your reply.