Win32:Patched-AKC [Trj]

system · November 5, 2013, 7:28pm

I initially had a problem when I torrented a song and found that it would pop up and play every time I would log into my account.
I’ve tried deleting it several times but it continues to reappear back in a temp folder. I figured it wasn’t anything too serious so I just dealt with with and closed it as it would come up on start up.
Soon enough I noticed my computer was slowing down, so I decided to get an anti-virus. To my dismay I wasn’t able to access Microsoft or Anti-virus websites to help me solve this situation. Although, I have managed to fix this.

I installed Avast! and found that Win32:Patched-AKC [Trj] was the only threat that couldn’t be deleted, fixed etc etc.
Considering it involves System 32 I am guessing it would be very difficult to remove as removing System 32 would completely ruin my laptop. How would I go around fixing this?

Pondus · November 5, 2013, 7:36pm

follow this guide and attach logs…not copy and paste http://forum.avast.com/index.php?topic=53253.0

run in order listed
AdwCleaner / Malwarebytes / OTL

when done, malware experts will be notified and help you
when finish, all tools used will be removed

magna86 · November 5, 2013, 8:17pm

Monitoring

system · November 5, 2013, 8:44pm

Attachments:
AdwCleaner
Malwarebytes’ Anti Malware
OTL
Extras

system · November 5, 2013, 8:51pm

Attachment:
AswMBR

magna86 · November 5, 2013, 9:47pm

Hey Odiosus,

AdwCleaner logs …
AdwCleaner[R0].txt - [7923 octets] - [06/11/2013 08:49:08]
AdwCleaner[R1].txt - [631 octets] - [06/11/2013 08:54:18]
AdwCleaner[S0].txt - [7822 octets] - [06/11/2013 08:50:57]

You have been attached [R1] report. I’ll need to see [S0] report. Please attach here AdwCleaner[S0].txt logreprot.

Scan with Combofix:

[*] Please download ComboFix by sUBs and save it to your Desktop.
You may read how Combofix works here.

[*] Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
If you are unsure how to do this please read this or this Instruction.

[*] Run ComboFix. Click on I Agree! & follow the prompts.
Note: If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart your computer.

[*] When finished, it will produce a report for you. Please attach log reports (ComboFix.txt) back to topic.
(typical log location: C:\ComboFix.txt )

system · November 5, 2013, 10:02pm

AdwCleaner [S0]

system · November 5, 2013, 11:26pm

Attachment:
ComboFix

Is there anything else required?

magna86 · November 5, 2013, 11:43pm

Loogs good. ComboFix done an excellent job. But we still have some work to do.

Open notepad and copy/paste the text present inside the code box below:

Folder::
c:\windows\Installer\{4837efbf-9635-b913-35d3-1c368ca388a3}
c:\program files (x86)\SweetIM

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"1781466620"=-

ClearJavaCache::

FileLook::
c:\windows\system32\services.exe

DDS::
IE: Search the Web - c:\program files (x86)\SweetIM\Toolbars\Internet Explorer\resources\menuext.html

Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

Re-check:

Please download Farbar Recovery Scan Tool (
http://www.mcshield.net/personal/magna86/Images/FRST_canned.png
) by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “List BCD” and “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

system · November 6, 2013, 3:35am

Attachments:
ComboFix Log
FRST
Addition

magna86 · November 6, 2013, 11:06am

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system


Start
HKU\JARED.Woody-PC\...\Run: [Ozitcuofre] - C:\Users\JARED.Woody-PC\AppData\Roaming\Okdaz\oboni.exe
HKU\JARED.Woody-PC\...\CurrentVersion\Windows: [Load] c:\users\jared~1.woo\dxlxvy.exe <===== ATTENTION
HKU\Woody\...\Run: [Ofbuuc] - C:\Users\Woody\AppData\Roaming\Ehofum\akyv.exe
C:\Users\JARED.Woody-PC\AppData\Roaming\Okdaz
c:\users\jared~1.woo\dxlxvy.exe
C:\Users\Woody\AppData\Roaming\Ehofum\akyv.exe
FF SearchPlugin: C:\Users\Karren.Woody-PC\AppData\Roaming\Mozilla\Firefox\Profiles\yongkj0u.default\searchplugins\babylon.xml
FF SearchPlugin: C:\Users\Karren.Woody-PC\AppData\Roaming\Mozilla\Firefox\Profiles\yongkj0u.default\searchplugins\delta.xml
C:\Users\Karren.Woody-PC\AppData\Roaming\Mozilla\Firefox\Profiles\yongkj0u.default\searchplugins\babylon.xml
C:\Users\Karren.Woody-PC\AppData\Roaming\Mozilla\Firefox\Profiles\yongkj0u.default\searchplugins\delta.xml
FF Extension: uTorrentControl_v2  - C:\Users\Karren.Woody-PC\AppData\Roaming\Mozilla\Firefox\Profiles\yongkj0u.default\Extensions\{7473b6bd-4691-4744-a82b-7854eb3d70b6}
FF Extension: No Name - C:\Users\Karren.Woody-PC\AppData\Roaming\Mozilla\Firefox\Profiles\yongkj0u.default\Extensions\{4de46b94-1b91-474a-9ae5-6074f86ef7e9}.xpi
C:\Users\Karren.Woody-PC\AppData\Roaming\Mozilla\Firefox\Profiles\yongkj0u.default\Extensions\{7473b6bd-4691-4744-a82b-7854eb3d70b6}
C:\Users\Karren.Woody-PC\AppData\Roaming\Mozilla\Firefox\Profiles\yongkj0u.default\Extensions\{4de46b94-1b91-474a-9ae5-6074f86ef7e9}.xpi
CHR HKLM-x32\...\Chrome\Extension: [pacgpkgadgmibnhpdidcnfafllnmeomc] - C:\Users\JAREDR\AppData\Local\CRE\pacgpkgadgmibnhpdidcnfafllnmeomc.crx
C:\Users\JAREDR\AppData\Local\CRE\pacgpkgadgmibnhpdidcnfafllnmeomc.crx
2013-11-06 02:50 - 2013-03-15 09:32 - 00000000 ____D C:\Users\JARED.Woody-PC\AppData\Roaming\Uzlour
2013-11-06 02:50 - 2013-03-15 09:32 - 00000000 ____D C:\Users\JARED.Woody-PC\AppData\Roaming\Okdaz
2013-11-06 02:50 - 2013-02-25 17:15 - 00000000 ____D C:\Users\Karren.Woody-PC\AppData\Roaming\Poawt
2013-11-06 02:50 - 2013-03-27 13:40 - 00000000 ____D C:\Users\Woody\AppData\Roaming\Zoree
2013-11-06 02:50 - 2013-03-27 13:39 - 00000000 ____D C:\Users\Woody\AppData\Roaming\Beuk
2013-11-06 02:50 - 2013-03-27 13:39 - 00000000 ____D C:\Users\Woody\AppData\Roaming\Acxuu
2013-11-06 02:50 - 2013-03-27 13:38 - 00000000 ____D C:\Users\Woody\AppData\Roaming\Mugowi
2013-11-06 02:50 - 2013-03-27 13:37 - 00000000 ____D C:\Users\Woody\AppData\Roaming\Evraaw
2013-11-06 02:50 - 2013-03-27 13:37 - 00000000 ____D C:\Users\Woody\AppData\Roaming\Afyhu
2013-11-06 02:50 - 2013-03-27 13:36 - 00000000 ____D C:\Users\Woody\AppData\Roaming\Ypol
2013-11-06 02:50 - 2013-03-27 13:36 - 00000000 ____D C:\Users\Woody\AppData\Roaming\Inolta
2013-11-06 02:50 - 2013-03-27 13:35 - 00000000 ____D C:\Users\Woody\AppData\Roaming\Hyuqg
2013-11-06 02:50 - 2013-03-15 09:32 - 00000000 ____D C:\Users\JARED.Woody-PC\AppData\Roaming\Uzlour
2013-11-06 02:50 - 2013-03-15 09:32 - 00000000 ____D C:\Users\JARED.Woody-PC\AppData\Roaming\Okdaz
2013-11-06 02:50 - 2013-02-25 17:15 - 00000000 ____D C:\Users\Karren.Woody-PC\AppData\Roaming\Poawt
2013-11-06 02:50 - 2012-07-14 22:50 - 00000000 ____D C:\Users\Woody\AppData\Roaming\Ehofum
C:\Users\Woody\AppData\Local\{4837efbf-9635-b913-35d3-1c368ca388a3}
C:\Users\Karren.Woody-PC\jagex_cl_oldschool_LIVE.dat
C:\Users\Karren.Woody-PC\jagex_cl_runescape_LIVE.dat
C:\Users\Karren.Woody-PC\jagex_cl_runescape_LIVE1.dat
C:\Users\Karren.Woody-PC\jagex_cl_speccollect_LIVE.dat
C:\Users\Karren.Woody-PC\random.dat
Task: {F5206982-4BC4-4F93-B4AB-2533F61661AF} - \YourFile Update No Task File
Task: {FE795491-AC60-4881-895C-96B5B9A66608} - \Express FilesUpdate No Task File
AlternateDataStreams: C:\Users\Jackie Wood\Downloads:Shareaza.GUID
End

[b]

2.[/b] Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

Then attach and fresh FRST.txt logreport by simple re-runing FRST and hiting Scan button.

system · November 6, 2013, 11:26pm

Attachments:
Fixlog
FRST

magna86 · November 7, 2013, 12:45am

You have been attached FRST.txt log only without FixLog.txt. I shall need FixLog.txt as well…

system · November 7, 2013, 10:03am

Oops, I apologise. I was sure I attached it!

magna86 · November 7, 2013, 1:42pm

Looks good. How is your computer behavior now?

system · November 7, 2013, 9:14pm

It seems up to speed! Although, for some reason my scrolling on the laptop touchpad is now playing up. I wonder if it’s related?
And also, Windows decided to update like 140+ updates upon shut down, and a few things on start up. I’m not sure if that’s a normal amount or what, it’s usually around 10, not in the hundreds.

I’ll run Avast! again and see if there’s any thing that pops up.

Thanks for your time!

magna86 · November 8, 2013, 11:32am

All this is fine. I shall remove my tools:

It is necessary to uninstall ComboFix :

[*] Click Start (or
http://amf.mycity.rs/pg/images/VistaStartButton.png
) then Run.

On Windows7 or Vista you may use Start Search field if Run is not available.

[*] In the line of text type in (Copy) the following:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

[*] then click OK (or press Enter ).

Wait for the uninstall process is complete.

Please download DelFix by “Xplode” to your Desktop.

Run the tool and check the following boxes below;

[] Remove disinfection tools
[] Create registry backup
[*] Purge System Restore

Now click on “Run” button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt

I don’t need DelFix log report.

I recommended to keep Malwarebytes and to use MCShield if you will.
You may download MCShield from one of the following links:

MyCity - Official download link
Softpedija - Mirror download link

It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but it will immediately clean flash drive, memory card or external HDD.

Win32:Patched-AKC [Trj]

Announcements