Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan-Downloader.Win32.Agent.cyzf


  • This topic is locked This topic is locked
3 replies to this topic

#1 retiredbri

retiredbri

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 15 January 2010 - 11:50 AM

Forenote:
I realise I shouldn't have run Combofix but did it before reading & joining this forum.

Before running Combofix
On 8 Jan, Trojan-Downloader.Win32.Agent.cyzf was located on my PC by Kaspersky Internet Security 7 (KIS 7) as file cltest.exe (used by Power DVD to check the external DVD). This file has been on my PC for many years. At this date, VirusList.com did not know of this trojan.

I accepted the KIS instruction to delete it to the KIS backup together with two files in the Restore folder and then started a full scan of my PC.
The event log strangely reports KIS turned off at for about 6 minutes. I do not think I turned it off.
I panicked because a similar trojan Agent.alby turns off KIS, captures screens and is a key-logger.

Early on 9 Jan, I reported everything to Kaspersky Support and sent the files and the GetSystemInfo (GSI) file.
I conducted a full computer scan followed by a rootkit scan and KIS reported no problems found.
However, it seemed that everything had slowed down so I was concerned that during the time KIS7 was off, the virus had established itself as a legitimate programme.

I could not get a quick answer to my GSI report, but I was "informed" that Combofix would tell me more.
Combofix was downloaded from Kaspersky.com and was saved to my desktop as 999fix.exe as instructed.

Running Combofix
I followed the instructions on bleepingcomputer and ran "999fix.exe.
It ran and updated itself.

The instructions (as on this site) said it would perform restore and back up of registry but registry backup "activity" progress bar" did not appear.

It started scanning but at 6A, reported " Windows error - PEV.exe, needs to close - report etc" but I did nothing and the scans continued.

All finished and Combofix rebooted and the report was produced. Apart from Combofix deleting three file, it all went as your instructions. I did not make any changes to my PC
and Combofix didn't tell me to do anything.

The report file is attached.
Note: RoboMaster, Graphtec, Grape Systems, Gedpage, Gedcom to HTML are programs I have added.
Zone Alarm, early Kaspersky KAV 5 and 6, Broadjump/CFD, Ad-Aware are no longer used.

Post running Combofix
All appears to be running ok - I may have imagined that things were "not right" - so there may not have been an infection.
KIS has updated it self and performed startup scans each time and nothing suspicious is reported.
Because PEV.exe may show as a problem, I have not run a full scan or rootkit scan until I hear from you.

I note that there is not a restore point for the day that Combofix was run
PEV.exe dated 9 Dec 2009 256Kb is in C:\Windows
There is a 999fix folder in C:\ containing files and a sub folder N_
The deleted twain file does not seem to have affected the scanner, printer and camera

I have run a CD with a .wmf file and it appears to work so not sure if the missing cltest.exe file (that was deleted) is having any effect.
Being wise after the event, it could be something as simple as cltest.exe giving a false positive.
Because no one at Kaspersky was able to give me the answer, I feared it is something worse?

Cleaning up
Finally- can I remove Combofix/999fix (as per instructions on this site)?
if I do, will it matter if the deleted files are restored?
can I just manually delete the 999fix folder and PEV.exe

Regards

retiredbri





Attached Files



BC AdBot (Login to Remove)

 


#2 pwgib

pwgib

  • Malware Response Team
  • 2,958 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:08:12 PM

Posted 21 January 2010 - 11:50 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.


If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
PW

#3 retiredbri

retiredbri
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 22 January 2010 - 12:09 PM

QUOTE(pwgib @ Jan 21 2010, 04:50 PM) View Post
Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know.



Thanks everone thumbup2.gif

Problem was a false positve. Kaspersky Support just didn't get round to replying to my 9 Jan query mad.gif so I thought I was infected.

Please close this thread


#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:12 PM

Posted 22 January 2010 - 05:18 PM

Hello.

Since the problem appears to be resolved, this topic is now Closed.
If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.

This applies only to the original topic starter

Everyone else please start a new topic.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users