We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
patched_c.lyt Trojan Horse Removal - HELP!
Comments
-
scottishgirl87, Is AVG still detecting services.exe as being infected? Trojan patched_c.lyt?0
-
Sound good. Confirmation that combofix got it wasn't in the logs, that's all.scottishgirl87 wrote: »I'm just running it now, at 64%, but so far no sign of. The pop-up was appearing on its own before but isn't appearing now either.0 -
-
cheers bud, missed it when reading the log..really must do better with DDS
......Gettin' There, Wherever There is......
I have a dodgy "i" key, so ignore spelling errors due to "i" issues, ...I blame Apple
0 -
There's a couple of leftovers from previous infections - best to get rid of them.scottishgirl87 wrote: »Has finished and detected no threats. Does that mean I'm good to go?!
Whilst I knock up a combofix script, run a quick scan with Malwarebytes.0 -
Run this combofix script. If combofix tells you there is a newer version available, let it update.
- Open Notepad
- Copy and paste the text present inside the code box below (Don't include Code:)
DDS:: uStart Page = uInternet Settings,ProxyServer = uInternet Settings,ProxyOverride = Firefox:: FF - ProfilePath - c:\users\andrew\appdata\roaming\mozilla\firefox\profiles\hyta1k67.default\ FF - prefs.js: browser.search.defaulturl - FF - prefs.js: browser.search.selectedEngine - FF - prefs.js: keyword.URL - FF - prefs.js: network.proxy.http - FF - prefs.js: network.proxy.http_port - FF - prefs.js: network.proxy.type -
- Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
- Temporarily disable your anti-virus (AVG), before following the steps below.
- To disable your Antivirus (AVG), see here.
- Drag CFScript.txt into ComboFix.exe as the screenshot above shows.
- ComboFix will scan & may reboot when it finishes. Combofix.txt will open.
- Copy and paste the contents of the log here.
0 -
Run this combofix script. If combofix tells you there is a newer version available, let it update.
- Open Notepad
- Copy and paste the text present inside the code box below (Don't include Code:)
DDS:: uStart Page = uInternet Settings,ProxyServer = uInternet Settings,ProxyOverride = Firefox:: FF - ProfilePath - c:\users\andrew\appdata\roaming\mozilla\firefox\profiles\hyta1k67.default\ FF - prefs.js: browser.search.defaulturl - FF - prefs.js: browser.search.selectedEngine - FF - prefs.js: keyword.URL - FF - prefs.js: network.proxy.http - FF - prefs.js: network.proxy.http_port - FF - prefs.js: network.proxy.type -
- Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
- Temporarily disable your anti-virus (AVG), before following the steps below.
- To disable your Antivirus (AVG), see here.
- Drag CFScript.txt into ComboFix.exe as the screenshot above shows.
- ComboFix will scan & may reboot when it finishes. Combofix.txt will open.
- Copy and paste the contents of the log here.
I've done this and got the log but now neither Firefox (the usual browser) or IE will open meaning I can't get on here to post it (currently on my own computer).
Firefox says "Illegal operation attempted on a registry key that has been marked for deletion." and IE just won't do anything.
EDIT: Sorry IE also says the same.0 -
Reboot, then open firefox again.0
-
Reboot, then open firefox again.
Oops, that would do the trick
ComboFix 12-07-10.01 - Andrew 10/07/2012 22:25:18.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2038.829 [GMT 1:00]
Running from: c:\users\Andrew\Desktop\ComboFix.exe
Command switches used :: c:\users\Andrew\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-06-10 to 2012-07-10 )))))))))))))))))))))))))))))))
.
.
2012-07-10 21:37 . 2012-07-10 21:37
d
w- c:\users\Andrew\AppData\Local\temp
2012-07-10 21:37 . 2012-07-10 21:37
d
w- c:\users\Default\AppData\Local\temp
2012-07-10 20:56 . 2012-07-10 20:56 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-07-10 20:26 . 2012-07-10 21:37
d
w- c:\users\Andrew\AppData\Local\temp
2012-06-29 17:55 . 2012-06-29 17:55
d
w- c:\program files\Mozilla Maintenance Service
2012-06-29 17:55 . 2012-06-29 17:55 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll
2012-06-29 17:55 . 2012-06-29 17:55 624608 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-06-29 17:55 . 2012-06-29 17:55 43488 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
2012-06-29 17:55 . 2012-06-29 17:55 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll
2012-06-29 17:55 . 2012-06-29 17:55 157608 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice_installer.exe
2012-06-29 17:55 . 2012-06-29 17:55 113120 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice.exe
2012-06-21 20:56 . 2012-06-02 22:19 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-21 20:56 . 2012-06-02 22:19 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-21 20:56 . 2012-06-02 22:19 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-21 20:56 . 2012-06-02 22:12 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-21 20:55 . 2012-06-02 22:19 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-21 20:55 . 2012-06-02 22:19 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-21 20:55 . 2012-06-02 22:12 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-21 20:55 . 2012-06-02 14:19 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-21 20:55 . 2012-06-02 14:12 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-15 21:11 . 2012-05-01 14:03 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-06-15 21:11 . 2012-05-15 19:51 2045440 ----a-w- c:\windows\system32\win32k.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-08 16:56 . 2012-06-08 21:03 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-08 16:56 . 2012-06-08 21:03 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-20 19:31 . 2012-05-20 19:32 476960 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-05-20 19:31 . 2012-05-20 19:32 472864 ----a-w- c:\windows\system32\deployJava1.dll
2012-06-29 17:55 . 2011-03-28 13:30 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-01-03 09:00 39472 ----a-w- c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-17 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2008-03-11 92704]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-03-11 8534560]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-03-11 88608]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2008-01-24 102400]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-03-08 40048]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-02-25 518656]
"eAudio"="c:\acer\Empowering Technology\eAudio\eAudio.exe" [2007-10-10 1286144]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-11-22 178712]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-24 4702208]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-01-24 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-01-24 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-01-24 133656]
"LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2008-01-02 707080]
"PlayMovie"="c:\program files\Acer Arcade Deluxe\Play Movie\PMVService.exe" [2008-01-22 200704]
"PLFSet"="c:\windows\PLFSet.dll" [2007-04-25 45056]
"WarReg_PopUp"="c:\program files\Acer\WR_PopUp\WarReg_PopUp.exe" [2008-01-29 303104]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-01-24 2416480]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-20 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2008-3-13 535336]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\3.0.207\SSScheduler.exe [2011-6-17 272528]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
SETAUDIO.EXE [2008-4-4 20480]
SETRES.EXE [2008-4-4 20480]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MBAMSWISSARMY
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-10 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-08 16:56]
.
2012-07-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-17 15:39]
.
2012-07-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore1ca5a0fc9be07e0.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-17 11:17]
.
2012-07-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-17 11:17]
.
.
Supplementary Scan
.
mStart Page = hxxp://en.uk.acer.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\hyta1k67.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-10 22:37
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
"ImagePath"="\??\c:\program files\Acer Arcade Deluxe\Play Movie\000.fcl"
.
LOCKED REGISTRY KEYS
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
DLLs Loaded Under Running Processes
.
- - - - - - - > 'Explorer.exe'(3220)
c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
c:\acer\Empowering Technology\eDataSecurity\x86\sysenv.dll
c:\acer\Empowering Technology\EPOWER\SysHook.dll
.
Completion time: 2012-07-10 22:42:32
ComboFix-quarantined-files.txt 2012-07-10 21:42
ComboFix2.txt 2012-07-10 20:26
.
Pre-Run: 58,529,157,120 bytes free
Post-Run: 58,413,715,456 bytes free
.
- - End Of File - - 47590DCAA6940FAD9D1B982B7318CC1E0 -
That looks a lot better - Was malwarebytes clean? Is IE ok now too?0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 351.4K Banking & Borrowing
- 253.3K Reduce Debt & Boost Income
- 453.8K Spending & Discounts
- 244.4K Work, Benefits & Business
- 599.6K Mortgages, Homes & Bills
- 177.1K Life & Family
- 257.9K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.2K Discuss & Feedback
- 37.6K Read-Only Boards