Pages

In-The-Field Analysis of "Trojan Horse Patched_c LYT" Virus

A long term client, having difficulties with pc problems, recently contacted us. She identified her computer signs and symptoms as follows:

"After Googling something and clicking a link I am hijacked off to a arbitrary website or pop-up".

I carried on by importing the vital analysis and restoration tools to the infected laptop via usb drive - packages included AVG, ComboFix, OTL, and MalwareBytes.

My primary phase comprises performing an AVG diagnostic scan. The outcome of the test pointed out an issue in c: \Windows\System32\services. exe caused by the computer virus "Trojan horse Patched_c. LYT". AVG offers you minimal support against a computer virus aimed towards services. exe - so eradication of the malware by using an anti-virus software program will not be a solution.

The next measure consists of executing a comboFix scan. Keep in mind, I rename ComboFix before upload to the corrupted laptop - because a number of spyware and adware specify combofix. exe explicitly.

Some added points concerning combofix. exe include:

1. Shut down every open web browsers before executing
2. Close and disable any anti-virus or anti-malware
3. Clicking on combofix while it executes may perhaps result in a stall
4. Combofix may interrupt internet connection if terminated prematurely. A system reboot clears this issue.
5. Combofix may dump the error "Illegal operation attempted on a registery key that has been marked for deletion". In this instance, a system restart fixes this issue.

The comboFix log indicates a problem in c: \Windows\System32\services. exe. We need to find a clean version of services. exe to restore the corrupted file located in the System32 folder. I begin an OTL session and scan the laptop for an authentic version. I also take this occasion to locate a clean copy of smss. exe.

/md5start
services. *
/md5stop

Now that we currently have the location of the original systems files we may continue to overwrite the contaminated system files. We could replace a systems executable in various ways- I opt for either a manual restore with software such as ComboFix or use of the System File Check utility. In this instance I fire up ComboFix and manually copy the clean executables:

FCopy::
C: \Windows\winsxs\[location of your services folder]\services. exe | C: \Windows\System32\services. exe
C: \Windows\winsxs\[location of your smss folder]\smss. exe | C: \Windows\System32\smss.exe

This appears to have eliminated the problem. The contaminated computer is now executing splendidly.

At this time I prefer to tie up loose ends by running MalwareBytes. A couple of details pertaining to MBAM:

1. Check for updates before running this application.
2. Quick scan will do in most situations
3. Look at the outcomes of the scan and be certain to select all items, then eliminate all chosen objects.
4. In the case MBAM encounters a difficult file you will be prompted with a couple of dialog boxes. Permit MBAM to complete the procedure and restart the system.

In this circumstance the MBAM diagnostic comes back clean.

Taylor Jacobson writes about actual experiences from our computer repair shop in Encino, CA. For more information regarding these types of computer viruses checkout: Encino Computer Repair Field Docs. If you require assistance repairing your computer we offer free online diagnostics: EncinoComputerRepair.com


View the original article here

0 comments:

Post a Comment

Related Posts Plugin for WordPress, Blogger...