Author Topic: Win32-Patched-AKC [Trj]  (Read 8133 times)

0 Members and 1 Guest are viewing this topic.

Axel_B

  • Guest
Win32-Patched-AKC [Trj]
« on: September 09, 2012, 03:04:07 AM »
Hi,
when running a scan I got a threat that could not be removed.
File name: C:\Windows\System32\services.exe
Severity: High
Status: Threat: Win32-Patched-AKC [Trj]
Action: Move to chest
Result: The specified file is read only (6009)

I guess the problem is that it's in a System32 file which means it could harm the system to remove it. So how can I remove it?

I also keep getting popups saying Malware Blocked and sometimes also a trojan horse has been blocked.
I usually get about 3-5 of these messages quickly in a row.
Malware blocked:
Object: C:\Windows\Installer\...\(000000cb.@/80000064.@/80000000.@)
Infection: Win32:(Malware-gen/Win32:Trojan-gen)
Action: Moved to chest
Process: C:\Windows\System32\services.exe

Trojan horse blocked:
Object: C:\Windows\Installer\...\80000032.@
Infection:Win32:ZAcces-IJ[Trj]
Action: Moved to chest
Process: C:\Windows\System32\services.exe

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: Win32-Patched-AKC [Trj]
« Reply #1 on: September 09, 2012, 12:23:21 PM »
Monitoring  8)

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: Win32-Patched-AKC [Trj]
« Reply #2 on: September 09, 2012, 12:25:39 PM »
Hi,
I will be working on your Malware issues  ;)


  Step#1 

Download TDSSKiller  and save it to your desktop

    Execute TDSSKiller.exe by doubleclicking on it.

  •     Press Start Scan

     
  •   If Suspicious object is detected, the default action will be Skip, click on Continue.
     
  •   If Malicious objects are found, select Cure.
Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt


Please post the contents of that log in your next reply.


************

  Step#2 




> Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

> Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this or this Instruction.

How to disable avast:

  • Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
  • In the window that opens on the top right corner, click Settings.
  • In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.

  • Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
  • In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.
Note: Do not forget to turn on this option after the cleaning.



> Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.

ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.

If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix's window while it is running.
If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart computer once more.


> When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
  Attach log reports ( ComboFix.txt) back to topic.




Axel_B

  • Guest
Re: Win32-Patched-AKC [Trj]
« Reply #3 on: September 09, 2012, 02:35:22 PM »
Hi Magna,

I've attached the logs from the both programs.
ComboFix seemed to mess up my computer, making it unable to connect to the internet again.
Tried all possible solutions I could find but solved it with a system restore in the end...

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: Win32-Patched-AKC [Trj]
« Reply #4 on: September 09, 2012, 03:06:11 PM »
Hi,
First, there is no need to run TDSSKiller twice. Or is another TDSSKiller log after system restore?

Secondly...
Quote
ComboFix seemed to mess up my computer, making it unable to connect to the internet again.
Tried all possible solutions I could find but solved it with a system restore in the end...

Do I understand correctly.
You launched Combofix. This is the log that is attached?
Then you realized you lost your internet connection.
Then you back your system with system restore and is now all working normally?
Do you have pop-ups?
How is your computer basicly running now?
Do you have Quobox folder in C:\ ?

-------------


> Re-run aswMBR and attach here fresh aswMBR.txt log

-----------


Please download Farbar Service Scanner (FSS)  and run it on the computer with the issue.
  • Make sure that all options are checked.
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please attach FSS.txt log to your reply.

-------------
Re-run OTL.exe.

  • Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.

Code: [Select]
%systemroot%\*. /mp /s
netsvcs
msconfig
safebootminimal
safebootnetwork
CREATERESTOREPOINT
/md5start
services.exe
/md5stop
%systemroot%\Installer|@;true;true;true
dir /s /a "C:\Windows\Installer\{e618e9ed-fd00-d811-9c7a-11e786fc1979}" /c
%systemroot%\assembly\GAC\*.* /S /MD5
%systemroot%\assembly\GAC_32\*.* /S /MD5
%systemroot%\assembly\GAC_64\*.* /S /MD5
%systemroot%\assembly\GAC_32\*.ini
%systemroot%\assembly\GAC_64\*.ini
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS /s
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT /s
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBIOS /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
>C:\commands.txt echo list vol /raw /hide /c
/wait
>C:\DiskReport.txt diskpart /s C:\commands.txt /raw /hide /c
/wait
type c:\diskreport.txt /c
/wait
erase c:\commands.txt /hide /c
/wait
erase c:\diskreport.txt /hide /c


  • Then click the Run Scan button at the top.
  • Let the program run unhindered; it will reboot the system when it is done and open notepad (OTL.txt) with logreport. Attach here that logreport.

Axel_B

  • Guest
Re: Win32-Patched-AKC [Trj]
« Reply #5 on: September 09, 2012, 03:19:07 PM »
Hi,
First, there is no need to run TDSSKiller twice. Or is another TDSSKiller log after system restore?
When I checked for the TDSSKiller log I had two of them, the second created about 3 minutes after the first. Thought it would be best to attach both of them...
Secondly...
Quote
ComboFix seemed to mess up my computer, making it unable to connect to the internet again.
Tried all possible solutions I could find but solved it with a system restore in the end...

Do I understand correctly.
You launched Combofix. This is the log that is attached?
Then you realized you lost your internet connection.
Then you back your system with system restore and is now all working normally?
Do you have pop-ups?
How is your computer basicly running now?
Do you have Quobox folder in C:\ ?
Yes, you understood correctly.
Everything seems to be working normally, I do however keep getting pop-ups.
Can't find any Quobox folder in C:\

Will do the rest you suggested now.

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: Win32-Patched-AKC [Trj]
« Reply #6 on: September 09, 2012, 04:14:31 PM »
- Ok, download fresh TDSSKiller and run again as you did before.
Reboot your computer.

- Re-run aswMBR.
- Run FSS
- Re-run OTL as i instructed above with custom script. 
- Attach here all logs  ;P

> How is your computer running now?

Axel_B

  • Guest
Re: Win32-Patched-AKC [Trj]
« Reply #7 on: September 09, 2012, 04:23:47 PM »
I just ran TDSSKiller again, and got two logs again created 3 minutes apart.
I've attached both of them.
« Last Edit: September 09, 2012, 04:34:07 PM by Axel_B »

Axel_B

  • Guest
Re: Win32-Patched-AKC [Trj]
« Reply #8 on: September 09, 2012, 04:35:48 PM »
aswMBR, FSS and OTL logs attached.

Edit:
My computer seems to be running fine now, no pop-ups so far... :)
« Last Edit: September 09, 2012, 04:38:47 PM by Axel_B »

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: Win32-Patched-AKC [Trj]
« Reply #9 on: September 09, 2012, 05:05:51 PM »
Ok, i will give you my reply tonight.  ;)

Axel_B

  • Guest
Re: Win32-Patched-AKC [Trj]
« Reply #10 on: September 09, 2012, 05:08:23 PM »
Ok, great.
It has now passed 30 minutes since I ran all the programs and still no pop-up.
Thanks! :)

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: Win32-Patched-AKC [Trj]
« Reply #11 on: September 09, 2012, 10:41:18 PM »
  • Please download BlitzBlank by emsisoft and save it to your desktop.

  • Open Blitzblank.exe by double click on it.

  • Click OK at the warning (and take note of it, this is a VERY powerful tool!).

  • Click the Script tab and copy/paste the following text there:



Code: [Select]
     
DeleteFile:
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini

DeleteFolder:
C:\Users\Axel\AppData\Roaming\xsecva
C:\Users\Axel\AppData\Roaming\Ozynsi
C:\Users\Axel\AppData\Roaming\Ecosfy
C:\Windows\Installer\{e618e9ed-fd00-d811-9c7a-11e786fc1979}




  • Click Execute Now. Your computer will need to reboot in order to replace the files.
  • When done, post me the report created by Blitzblank. you can find it at the root of the drive C:\

***********


  • Re-run TDSSKiller.exe and click on Change parametres.
  • Under Additional options check the boxes next to Verify Driver Digital Signature and Detect TDLFS file system, then click OK
  • Click on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • Click the Report button and attach the contents of it into your next reply
Note:It will also create a log in the C:\ directory.

***************

Re-run OTL.exe.

  • Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.

    Code: [Select]

    /md5start
    services.exe
    /md5stop

    • Then click the Run Scan button at the top.
    • Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

Axel_B

  • Guest
Re: Win32-Patched-AKC [Trj]
« Reply #12 on: September 09, 2012, 11:41:33 PM »
When trying to run Blitzbank I get an error saying "Syntax error in line 2, invalid file path".
Seems like the files are not there anymore... If I delete the "Delete File:" path then I don't get any errors, I haven't pressed OK yet though as I'll wait for your reply.

Edit: I do however have 2x desktop.ini in C:\Users\Axel\Desktop\(desktop.ini)
« Last Edit: September 09, 2012, 11:43:57 PM by Axel_B »

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: Win32-Patched-AKC [Trj]
« Reply #13 on: September 09, 2012, 11:43:24 PM »
Ok, skip BB. Go to TDSSKiller ( with change parametres ) and at the end run OTL as instructed above.

Axel_B

  • Guest
Re: Win32-Patched-AKC [Trj]
« Reply #14 on: September 09, 2012, 11:55:59 PM »
Alright, logs attached.
Did you see my edit on the post above?