About seven hours ago, I received a warning on Windows Defender: "Windows Defender detected programs that might compromise your privacy or damage your computer." The name of the program was: Backdoor:Win32/Cycbot.B. The alert level was: Severe.
I looked up the trojan online and realized writing to you might be the best bet.
OS Config: Microsoft Vista Home Premium, Version 6.0.6002 Service Pack 2 Build 6002.
System: HP Pavilion dv6700 Laptop
Processor: AMD Turion 64 x2, 2 Ghz, 2 core
Internet: On Broadband Wifi
Things seen so far:
1) Google searches automatically redirect to suspect websites. Both on Firefox and IE. I have stopped using the infected laptop and am using another one on the same WiFi network to communicate.
2) Windows Defender temporarily removes the trojan, but it reappears as a warning within a few minutes.
3) I unfortunately had no updated anti-virus software on my laptop when the first Defender warning came today.
4) I downloaded Avast after getting the Defender warning. Avast (free version) with a full scan is not able to recognize the trojan. However, it was able to block access to a website when clicking a google search redirected me to a suspicious website.
5) I am unable to download Spybot on the infected system. During installation, I keep getting the message "Connection timed out" This does not happen on the other clean laptop on the same Wifi network.
6) The clean laptop has updated virus files and is running.
Things done so far after the first warning notice:
1) 'Removed' trojan using Defender more than 10 times, just to get rid of the message at times. Cycbot.B keeps reappearing.
2) All transfer of data to and from the infected laptop is through a USB stick.
3) Avast full scan is unable to detect the presence of the trojan. Avast used to do boot-scan. Boot scan reveals a separate 'Win32:KillApp-W' on laptop and is deleted.
4) Avast revealed three corrupt zip or picture files during boot-up, in the C:\user\<username>\appData\local\temp folder.
I removed most content from \temp folder. File 'csrss' was unable to be moved and is still there.
5) Disconnected the Internet from infected laptop.
I look forward to hearing from you soon. Thanks a lot for the work you all do!
Edited by vns5135, 02 January 2011 - 02:33 PM.