Win32:Patched-AKC [Trj]

[Odiosus]

I initially had a problem when I torrented a song and found that it would pop up and play every time I would log into my account.
I've tried deleting it several times but it continues to reappear back in a temp folder. I figured it wasn't anything too serious so I just dealt with with and closed it as it would come up on start up.
Soon enough I noticed my computer was slowing down, so I decided to get an anti-virus. To my dismay I wasn't able to access Microsoft or Anti-virus websites to help me solve this situation. Although, I have managed to fix this.

I installed Avast! and found that Win32:Patched-AKC [Trj] was the only threat that couldn't be deleted, fixed etc etc.
Considering it involves System 32 I am guessing it would be very difficult to remove as removing System 32 would completely ruin my laptop. How would I go around fixing this?

[Pondus]

follow this guide and attach logs....not copy and paste   http://forum.avast.com/index.php?topic=53253.0

run in order listed
AdwCleaner / Malwarebytes / OTL

when done, malware experts will be notified and help you
when finish, all tools used will be removed

[magna86]

Monitoring

[Odiosus]

Attachments:
AdwCleaner
Malwarebytes' Anti Malware
OTL
Extras

[Odiosus]

Attachment:
AswMBR

[magna86]

Hey Odiosus,

AdwCleaner logs ...
AdwCleaner[R0].txt - [7923 octets] - [06/11/2013 08:49:08]
AdwCleaner[R1].txt - [631 octets] - [06/11/2013 08:54:18]
AdwCleaner[S0].txt - [7822 octets] - [06/11/2013 08:50:57]


- You have been attached [R1] report. I'll need to see [S0] report. Please attach here AdwCleaner[S0].txt logreprot.





Scan with Combofix:

• Please download ComboFix by sUBs and save it to your Desktop.
  You may read how Combofix works here.
  
  
• Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
  If you are unsure how to do this please read this or this Instruction.
  
  
• Run ComboFix. Click on I Agree! & follow the prompts.
  Note: If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart your computer.
  
  
• When finished, it will produce a report for you. Please attach log reports (ComboFix.txt) back to topic.
  (typical log location: C:\ComboFix.txt )

[Odiosus]

AdwCleaner [S0]

[Odiosus]

Attachment:
ComboFix

Is there anything else required?

[magna86]

Loogs good. ComboFix done an excellent job. But we still have some work to do.
   



Open notepad and copy/paste the text present inside the code box below:

Code: [Select]

Folder::
c:\windows\Installer\{4837efbf-9635-b913-35d3-1c368ca388a3}
c:\program files (x86)\SweetIM

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"1781466620"=-

ClearJavaCache::

FileLook::
c:\windows\system32\services.exe

DDS::
IE: Search the Web - c:\program files (x86)\SweetIM\Toolbars\Internet Explorer\resources\menuext.html
Save this as CFScript.txt



Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:\ComboFix.txt )

-----------------------------------------------


Re-check:

Please download Farbar Recovery Scan Tool () by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

• Double-click to run it. When the tool opens click Yes to disclaimer.
  
• Under Optional Scan ensure "List BCD" and "Driver MD5" are ticked.
  
• Press Scan button.
  
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

[Odiosus]

Attachments:
ComboFix Log
FRST
Addition

[magna86]

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Code: [Select]

Start
HKU\JARED.Woody-PC\...\Run: [Ozitcuofre] - C:\Users\JARED.Woody-PC\AppData\Roaming\Okdaz\oboni.exe
HKU\JARED.Woody-PC\...\CurrentVersion\Windows: [Load] c:\users\jared~1.woo\dxlxvy.exe <===== ATTENTION
HKU\Woody\...\Run: [Ofbuuc] - C:\Users\Woody\AppData\Roaming\Ehofum\akyv.exe
C:\Users\JARED.Woody-PC\AppData\Roaming\Okdaz
c:\users\jared~1.woo\dxlxvy.exe
C:\Users\Woody\AppData\Roaming\Ehofum\akyv.exe
FF SearchPlugin: C:\Users\Karren.Woody-PC\AppData\Roaming\Mozilla\Firefox\Profiles\yongkj0u.default\searchplugins\babylon.xml
FF SearchPlugin: C:\Users\Karren.Woody-PC\AppData\Roaming\Mozilla\Firefox\Profiles\yongkj0u.default\searchplugins\delta.xml
C:\Users\Karren.Woody-PC\AppData\Roaming\Mozilla\Firefox\Profiles\yongkj0u.default\searchplugins\babylon.xml
C:\Users\Karren.Woody-PC\AppData\Roaming\Mozilla\Firefox\Profiles\yongkj0u.default\searchplugins\delta.xml
FF Extension: uTorrentControl_v2  - C:\Users\Karren.Woody-PC\AppData\Roaming\Mozilla\Firefox\Profiles\yongkj0u.default\Extensions\{7473b6bd-4691-4744-a82b-7854eb3d70b6}
FF Extension: No Name - C:\Users\Karren.Woody-PC\AppData\Roaming\Mozilla\Firefox\Profiles\yongkj0u.default\Extensions\{4de46b94-1b91-474a-9ae5-6074f86ef7e9}.xpi
C:\Users\Karren.Woody-PC\AppData\Roaming\Mozilla\Firefox\Profiles\yongkj0u.default\Extensions\{7473b6bd-4691-4744-a82b-7854eb3d70b6}
C:\Users\Karren.Woody-PC\AppData\Roaming\Mozilla\Firefox\Profiles\yongkj0u.default\Extensions\{4de46b94-1b91-474a-9ae5-6074f86ef7e9}.xpi
CHR HKLM-x32\...\Chrome\Extension: [pacgpkgadgmibnhpdidcnfafllnmeomc] - C:\Users\JAREDR\AppData\Local\CRE\pacgpkgadgmibnhpdidcnfafllnmeomc.crx
C:\Users\JAREDR\AppData\Local\CRE\pacgpkgadgmibnhpdidcnfafllnmeomc.crx
2013-11-06 02:50 - 2013-03-15 09:32 - 00000000 ____D C:\Users\JARED.Woody-PC\AppData\Roaming\Uzlour
2013-11-06 02:50 - 2013-03-15 09:32 - 00000000 ____D C:\Users\JARED.Woody-PC\AppData\Roaming\Okdaz
2013-11-06 02:50 - 2013-02-25 17:15 - 00000000 ____D C:\Users\Karren.Woody-PC\AppData\Roaming\Poawt
2013-11-06 02:50 - 2013-03-27 13:40 - 00000000 ____D C:\Users\Woody\AppData\Roaming\Zoree
2013-11-06 02:50 - 2013-03-27 13:39 - 00000000 ____D C:\Users\Woody\AppData\Roaming\Beuk
2013-11-06 02:50 - 2013-03-27 13:39 - 00000000 ____D C:\Users\Woody\AppData\Roaming\Acxuu
2013-11-06 02:50 - 2013-03-27 13:38 - 00000000 ____D C:\Users\Woody\AppData\Roaming\Mugowi
2013-11-06 02:50 - 2013-03-27 13:37 - 00000000 ____D C:\Users\Woody\AppData\Roaming\Evraaw
2013-11-06 02:50 - 2013-03-27 13:37 - 00000000 ____D C:\Users\Woody\AppData\Roaming\Afyhu
2013-11-06 02:50 - 2013-03-27 13:36 - 00000000 ____D C:\Users\Woody\AppData\Roaming\Ypol
2013-11-06 02:50 - 2013-03-27 13:36 - 00000000 ____D C:\Users\Woody\AppData\Roaming\Inolta
2013-11-06 02:50 - 2013-03-27 13:35 - 00000000 ____D C:\Users\Woody\AppData\Roaming\Hyuqg
2013-11-06 02:50 - 2013-03-15 09:32 - 00000000 ____D C:\Users\JARED.Woody-PC\AppData\Roaming\Uzlour
2013-11-06 02:50 - 2013-03-15 09:32 - 00000000 ____D C:\Users\JARED.Woody-PC\AppData\Roaming\Okdaz
2013-11-06 02:50 - 2013-02-25 17:15 - 00000000 ____D C:\Users\Karren.Woody-PC\AppData\Roaming\Poawt
2013-11-06 02:50 - 2012-07-14 22:50 - 00000000 ____D C:\Users\Woody\AppData\Roaming\Ehofum
C:\Users\Woody\AppData\Local\{4837efbf-9635-b913-35d3-1c368ca388a3}
C:\Users\Karren.Woody-PC\jagex_cl_oldschool_LIVE.dat
C:\Users\Karren.Woody-PC\jagex_cl_runescape_LIVE.dat
C:\Users\Karren.Woody-PC\jagex_cl_runescape_LIVE1.dat
C:\Users\Karren.Woody-PC\jagex_cl_speccollect_LIVE.dat
C:\Users\Karren.Woody-PC\random.dat
Task: {F5206982-4BC4-4F93-B4AB-2533F61661AF} - \YourFile Update No Task File
Task: {FE795491-AC60-4881-895C-96B5B9A66608} - \Express FilesUpdate No Task File
AlternateDataStreams: C:\Users\Jackie Wood\Downloads:Shareaza.GUID
End


2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.


3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.


Then attach and fresh FRST.txt logreport by simple re-runing FRST and hiting Scan button.

[Odiosus]

Attachments:
Fixlog
FRST

[magna86]

You have been attached FRST.txt log only without FixLog.txt. I shall need FixLog.txt as well...

[Odiosus]

Oops, I apologise. I was sure I attached it!

[magna86]

Looks good. How is your computer behavior now?