Field Diary evaluation of the “Trojan Horse Patched_c. LYT” virus.

A long lasting customer, struggling with computer difficulties, just got into contact with me. She defined her pc conditions as follows:

“After Googling something and clicking a link I am whisked off to a arbitrary website or pop-up”.

I continued by uploading the fundamental analysis and maintenance tools to the afflicted pc by means of a flash drive – applications included AVG, ComboFix, OTL, and MalwareBytes.

My primary phase includes executing an AVG diagnostic. The outcome of the test indicated a concern in c: WindowsSystem32services. exe brought about by the virus “Trojan horse Patched_c. LYT”. AVG offers you minor assistance against a trojan targeting services. exe – so removal of the trojan by using an anti-virus software package is not an option.

The following measure includes running a comboFix scan. Bear in mind, I rename ComboFix before upload to the corrupted computer – because numerous viruses specify combofix. exe directly.

Some more things to consider with regards to combofix. exe include:
1. Shut any open windows before executing
2. Shut down and exit any anti-virus or anti-malware
3. Clicking on combofix while it executes may perhaps result in a stall
4. Combofix may interrupt internet connection if terminated prematurely. A system reboot clears this issue.
5. Combofix may display the error “Illegal operation attempted on a registery key that has been marked for deletion”. In cases like this, a system reboot fixes this issue.

The comboFix log reveals trouble in c: WindowsSystem32services. exe. We need to obtain a new version of services. exe to substitute the infected executable found in the System32 folder. I commence an OTL session and search the laptop for an original version. I also take this occasion to locate a clean backup of smss. exe.

/md5start
services. *
/md5stop

Now that we currently have the location of the genuine systems executables we can proceed to copy over the infected system files. We could replace a systems executable in quite a few techniques- I choose either a manual restore with software such as ComboFix or use of the System File Check tool. In this case I start ComboFix and manually copy the original files:

FCopy::
C: Windowswinsxs[location of your services folder]services. exe | C: WindowsSystem32services. exe
C: Windowswinsxs[location of your smss folder]smss. exe | C: WindowsSystem32smss. exe

This would seem to have solved the situation. The infected computer is now working splendidly.

At this point I like to tie up loose ends by running MalwareBytes. A couple of details about MBAM:
1. Look for updates before running this software.
2. Quick scan suffices in most conditions
3. View the results of the analysis and don’t forget to select all items, then eliminate all chosen objects.
4. In the case MBAM encounters a problematic file you will be prompted with a few dialog boxes. Permit MBAM to complete the process and restart the pc.

In this situation the MBAM diagnostic returns clean.

Posted in Virus, Malware And Spyware Removal

Leave a Reply

Call Us!
Call us for a free analysis.
(818) 674-0941
Poke us