Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Backdoor:Win32/Cycbot.B Trojan


  • This topic is locked This topic is locked
2 replies to this topic

#1 vns5135

vns5135

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:48 PM

Posted 01 January 2011 - 05:13 PM

Hi Forum Experts,

About seven hours ago, I received a warning on Windows Defender: "Windows Defender detected programs that might compromise your privacy or damage your computer." The name of the program was: Backdoor:Win32/Cycbot.B. The alert level was: Severe.

I looked up the trojan online and realized writing to you might be the best bet.

OS Config: Microsoft Vista Home Premium, Version 6.0.6002 Service Pack 2 Build 6002.
System: HP Pavilion dv6700 Laptop
Processor: AMD Turion 64 x2, 2 Ghz, 2 core
Internet: On Broadband Wifi

Things seen so far:
1) Google searches automatically redirect to suspect websites. Both on Firefox and IE. I have stopped using the infected laptop and am using another one on the same WiFi network to communicate.
2) Windows Defender temporarily removes the trojan, but it reappears as a warning within a few minutes.
3) I unfortunately had no updated anti-virus software on my laptop when the first Defender warning came today.
4) I downloaded Avast after getting the Defender warning. Avast (free version) with a full scan is not able to recognize the trojan. However, it was able to block access to a website when clicking a google search redirected me to a suspicious website.
5) I am unable to download Spybot on the infected system. During installation, I keep getting the message "Connection timed out" This does not happen on the other clean laptop on the same Wifi network.
6) The clean laptop has updated virus files and is running.

Things done so far after the first warning notice:
1) 'Removed' trojan using Defender more than 10 times, just to get rid of the message at times. Cycbot.B keeps reappearing.
2) All transfer of data to and from the infected laptop is through a USB stick.
3) Avast full scan is unable to detect the presence of the trojan. Avast used to do boot-scan. Boot scan reveals a separate 'Win32:KillApp-W' on laptop and is deleted.
4) Avast revealed three corrupt zip or picture files during boot-up, in the C:\user\<username>\appData\local\temp folder.
I removed most content from \temp folder. File 'csrss' was unable to be moved and is still there.
5) Disconnected the Internet from infected laptop.

I look forward to hearing from you soon. Thanks a lot for the work you all do!
vns5135

Edited by vns5135, 02 January 2011 - 02:33 PM.


BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:18 PM

Posted 07 January 2011 - 03:14 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • In the custom scan box paste the following:
    msconfig
    safebootminimal
    activex
    drivers32
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    nvraid.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:18 PM

Posted 16 January 2011 - 09:23 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users