The Forum is currently experiencing technical issues which the team are working to resolve. Thank you for your patience.

patched_c.lyt Trojan Horse Removal - HELP!

scottishgirl87
scottishgirl87 Posts: 689 Forumite
Part of the Furniture 100 Posts Combo Breaker
in Techie Stuff
Boyfriend has managed to get his laptop infected with this virus and I'm really struggling to remove it :angry: AVG and Malwarebytes can't remove it so I've tried following the step-by-step here but I don't seem to have the registry files it wants me to delete!

Can anyone help, please?! As this is driving me crazy! It's an Acer Aspire 5920 running Windows Vista if that's any use.
«134

Comments

  • waddler_8
    waddler_8 Posts: 3,588 Forumite
    Is Malwarebytes detecting Rootkit.0Access?

    Download DDS from the link below and save it to your desktop:

    Link

    After you've downloaded it and saved it to your desktop:
    • Double click DDS to run it.
    • When it's finished, DDS will open two logs:
    1. DDS.txt
    2. Attach.txt
    Save both reports to your desktop.

    Copy & paste the contents of just DDS.txt for now and post it here (you may need to split the log over separate posts)
  • scottishgirl87
    scottishgirl87 Posts: 689 Forumite
    Part of the Furniture 100 Posts Combo Breaker
    .
    DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
    Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_32
    Run by Andrew at 17:32:39 on 2012-07-10
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2038.1524 [GMT 1:00]
    .
    AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\Explorer.EXE
    "C:\Windows\System32\svchost.exe" -k LocalServiceDns
    "C:\Windows\System32\svchost.exe" -k LocalServiceDns
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe
    C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://home.mywebsearch.com/index.jhtml?n=77C09F4F&ptnrS=ZJfox000&ptb=vjwKa2JHILqv8..hgU5hxQ
    mStart Page = hxxp://en.uk.acer.yahoo.com
    mDefault_Page_URL = hxxp://en.uk.acer.yahoo.com
    uInternet Settings,ProxyServer = http=127.0.0.1:52162
    uInternet Settings,ProxyOverride = <local>;*.local
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
    BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
    BHO: ShowBarObj Class: {83a2f9b1-01a2-4aa5-87d1-45b6b8505e96} - c:\acer\empowering technology\edatasecurity\x86\ActiveToolBand.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\acer\empowering technology\edatasecurity\x86\eDStoolbar.dll
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
    uRun: [conhost] c:\users\andrew\appdata\roaming\microsoft\conhost.exe
    mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [ALaunch] c:\acer\alaunch\AlaunchClient.exe
    mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\x86\eDSloader.exe
    mRun: [eAudio] "c:\acer\empowering technology\eaudio\eAudio.exe"
    mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
    mRun: [RtHDVCpl] RtHDVCpl.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [LManager] c:\progra~1\launch~1\QtZgAcer.EXE
    mRun: [PlayMovie] "c:\program files\acer arcade deluxe\play movie\PMVService.exe"
    mRun: [eRecoveryService]
    mRun: [PLFSet] rundll32.exe c:\windows\PLFSet.dll,PLFDefSetting
    mRun: [WarReg_PopUp] c:\program files\acer\wr_popup\WarReg_PopUp.exe
    mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
    mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\empowe~1.lnk - c:\acer\empowering technology\eAPLauncher.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\3.0.207\SSScheduler.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
    StartupFolder: c:\programdata\microsoft\windows\start menu\programs\startup\SETAUDIO.EXE
    StartupFolder: c:\programdata\microsoft\windows\start menu\programs\startup\SETRES.EXE
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
    IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    LSP: mswsock.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
    TCP: DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{BD6ACDFF-92AA-4972-9BC0-B3D504D5906B} : DhcpNameServer = 192.168.1.1
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
    Notify: igfxcui - igfxdev.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\andrew\appdata\roaming\mozilla\firefox\profiles\hyta1k67.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
    FF - prefs.js: browser.search.selectedEngine - MyWebSearch
    FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/
    FF - prefs.js: keyword.URL - hxxp://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=ZJfox000&ptb=vjwKa2JHILqv8..hgU5hxQ&psa=&ind=2010071013&ptnrS=ZJfox000&si=&st=kwd&n=77cf3fe5&searchfor=
    FF - prefs.js: network.proxy.http - 127.0.0.1
    FF - prefs.js: network.proxy.http_port - 52162
    FF - prefs.js: network.proxy.type - 4
    FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
    FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\google updater\2.4.2432.1652\npCIDetect14.dll
    FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
    FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
    FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_262.dll
    FF - plugin: c:\windows\system32\npdeployJava1.dll
    FF - plugin: c:\windows\system32\npmproxy.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 AFS;AFS;c:\windows\system32\drivers\AFS.SYS [2009-12-23 79052]
    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 32592]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248]
    R3 winbondcir;Winbond IR Transceiver;c:\windows\system32\drivers\winbondcir.sys [2008-3-13 43008]
    S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-10-7 230608]
    S1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]
    S2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\acer arcade deluxe\play movie\000.fcl [2008-6-21 41456]
    S2 ALaunchService;ALaunch Service;c:\acer\alaunch\ALaunchSvc.exe [2008-3-13 51200]
    S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
    S2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
    S2 gupdate1c990f14d9df472;Google Update Service (gupdate1c990f14d9df472);c:\program files\google\update\GoogleUpdate.exe [2009-2-17 133104]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-6-8 257224]
    S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134736]
    S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]
    S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-10-4 16720]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2008-3-13 179712]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-2-17 133104]
    S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\3.0.207\McCHSvc.exe [2011-6-17 237008]
    S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-6-29 113120]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    .
    =============== Created Last 30 ================
    .
    2012-06-29 17:55:14
    d
    w- c:\program files\Mozilla Maintenance Service
    2012-06-29 17:55:10 770384 ----a-w- c:\program files\mozilla firefox\msvcr100.dll
    2012-06-29 17:55:10 624608 ----a-w- c:\program files\mozilla firefox\gkmedias.dll
    2012-06-29 17:55:10 43488 ----a-w- c:\program files\mozilla firefox\mozglue.dll
    2012-06-29 17:55:10 421200 ----a-w- c:\program files\mozilla firefox\msvcp100.dll
    2012-06-29 17:55:10 157608 ----a-w- c:\program files\mozilla firefox\maintenanceservice_installer.exe
    2012-06-29 17:55:10 113120 ----a-w- c:\program files\mozilla firefox\maintenanceservice.exe
    2012-06-21 20:56:01 2422272 ----a-w- c:\windows\system32\wucltux.dll
    2012-06-21 20:55:38 88576 ----a-w- c:\windows\system32\wudriver.dll
    2012-06-21 20:55:28 33792 ----a-w- c:\windows\system32\wuapp.exe
    2012-06-21 20:55:28 171904 ----a-w- c:\windows\system32\wuwebv.dll
    2012-06-15 21:11:59 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2012-06-15 21:11:57 2045440 ----a-w- c:\windows\system32\win32k.sys
    .
    ==================== Find3M ====================
    .
    2012-07-08 16:56:29 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-07-08 16:56:29 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-05-20 19:31:52 476960 ----a-w- c:\windows\system32\npdeployJava1.dll
    2012-05-20 19:31:52 472864 ----a-w- c:\windows\system32\deployJava1.dll
    2012-05-15 22:04:50 834048 ----a-w- c:\windows\system32\wininet.dll
    2012-04-23 16:00:53 984064 ----a-w- c:\windows\system32\crypt32.dll
    2012-04-23 16:00:53 98304 ----a-w- c:\windows\system32\cryptnet.dll
    2012-04-23 16:00:53 133120 ----a-w- c:\windows\system32\cryptsvc.dll
    2012-04-19 14:18:04 389632 ----a-w- c:\windows\system32\html.iec
    2012-04-19 13:53:00 1383424 ----a-w- c:\windows\system32\mshtml.tlb
    .
    ============= FINISH: 17:34:23.95 ===============
  • waddler_8
    waddler_8 Posts: 3,588 Forumite
    Yes, it's the Sirefef rootkit, aka ZeroAccess.


    Go here and read through the instructions for downloading and running ComboFix:

    Bleeping Computer ComboFix Tutorial
    • Ensure you temporarily turn off your antivirus (AVG) before running. Instructions here
    • Double click combofix.exe & follow the prompts closely.
    • When it's finished, it'll produce a log. Post the contents of that log.
    • It'll be found on your C:\ drive named combofix.txt
    Above all, BE PATIENT! and let it run it's course.
  • scottishgirl87
    scottishgirl87 Posts: 689 Forumite
    Part of the Furniture 100 Posts Combo Breaker
    Thanks, waddler_8. I'm running it now, it has been running and restarted the machine twice but now seems to be stuck on "Please wait." Hopefully I'll have something to report soon.
  • waddler_8
    waddler_8 Posts: 3,588 Forumite
    Has it gone through the 50 stages & rebooted?
    If so it will be preparing the log report soon.
  • scottishgirl87
    scottishgirl87 Posts: 689 Forumite
    Part of the Furniture 100 Posts Combo Breaker
    Yes it had done the 50 stages and then rebooted. It does seem to have been stuck on "Please wait." for about 20 minutes now though :undecided Not sure if that's just the time it takes to prepare the log?
  • waddler_8
    waddler_8 Posts: 3,588 Forumite
    Be patient, you should get the log soon. This is a particularly troublesome bit of malware, so combofix may take a while longer to complete.

    I've got to nip out now but will be back in about an hour.
  • scottishgirl87
    scottishgirl87 Posts: 689 Forumite
    Part of the Furniture 100 Posts Combo Breaker
    It still hasn't moved from "Please wait." :undecided and the computer doesn't actually seem to be doing anything either.
  • closed
    closed Posts: 10,886 Forumite
    edited 10 July 2012 at 9:06PM
    You could factory restore it using acer erecovery (after backing up data with a bootcd http://www.paragon-software.com/home/rk-express/download_old.html) if all else fails, but for now wait a little longer to see if combofix finishes or waddler returns

    Even after doing erecovery (if it works), scan with an AV bootcd to check nothing is left in the boot sector.

    Rootkits or hard to remove malware are best removed with an Antivirus bootcd imo, this can download multiple AV bootcds and combine into one DVD or usb flash drive (If you don't have any dvd's, you need an empty usb stick, or one that can be emptied). Kaspersky rescue CD is one of the better ones, if you don't want to download more than one.

    http://www.sarducd.it/beta.html

    For the future, better AV, and a means to backup and restore the whole system in minutes.

    http://www.filehippo.com/download_avast_antivirus/
    http://www.macrium.com/reflectfree.aspx
    !!
    > . !!!! ----> .
  • waddler_8
    waddler_8 Posts: 3,588 Forumite
    Press CTRL+SHIFT+ESC

    Does Task manager open?
This discussion has been closed.
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 350K Banking & Borrowing
  • 252.7K Reduce Debt & Boost Income
  • 453.1K Spending & Discounts
  • 242.9K Work, Benefits & Business
  • 619.8K Mortgages, Homes & Bills
  • 176.4K Life & Family
  • 255.9K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16.1K Discuss & Feedback
  • 15.1K Coronavirus Support Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.
Update Your Picture