Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Backdoor:Win32/Cycbot.B


  • This topic is locked This topic is locked
9 replies to this topic

#1 SusanTheAverage

SusanTheAverage

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:16 PM

Posted 30 January 2011 - 02:09 PM

I originally posted in the Windows 7 forum here: http://www.bleepingcomputer.com/forums/topic376486.html/page__pid__2114135#entry2114135

MSE (Microsoft Security Essentials) removes this virus every time I restart my computer, for the past 2 days. This virus is changing my browser settings every time a browser (any browser) is opened, to connect to a proxy.

I've followed the steps to take before posting, but I'm having a problem with getting DDS to work. I'm getting a box that says windows can't open PEV.dat and I can't right click on it to run as admin. Is this due to script blocking software? If so, how do I find and disable it? The DDS installation guide didn't give any advice on that particular topic.


EDIT: I also can't seem to run GMER, in following the steps to configure it, everything is greyed out and I can't make any changes, and nothing is checked except for Services, Registry, and Files. I'm beginning to wonder if this is actually designed for a Windows 7 OS, because all of the screen shots were taken in Windows XP. Can someone verify that these programs are compatible with my OS?

Edited by SusanTheAverage, 30 January 2011 - 02:19 PM.


BC AdBot (Login to Remove)

 


#2 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:10:16 PM

Posted 04 February 2011 - 01:21 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

We need to create a New FULL OTL Report
  • Please download OTL from here if you have not done so already:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Change the "Extra Registry" option to "SafeList"
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Best Regards,
oneof4.

Best Regards,
oneof4.


#3 SusanTheAverage

SusanTheAverage
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:16 PM

Posted 05 February 2011 - 01:38 PM

Here are two OTL scans, #1 is a scan performed after MSE removed the virus again (for the 4th time), and #2 is after rebooting my machine (which seems to be when the virus comes back). After I ran #2 scan, while I was still offline, I opened my browsers to see if their proxy settings were changed, and they were not. I ran an MSE scan, which didn't find the virus. I don't know if this is because I was not connected to the internet, or if that made any difference.

EDIT: Out of curiosity, I just rebooted while MSE was enabled and internet was enabled, and everything was fine. No virus was detected, and my browser settings were not changed. So if you don't find anything in the scans I've posted, then it's possible I'm no longer infected. Or, it's adapted to my frequency modulations and we're all going to be assimilated, and then we will become the virus.

Attached Files


Edited by SusanTheAverage, 05 February 2011 - 01:51 PM.


#4 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:09:16 PM

Posted 07 February 2011 - 12:06 PM

Hello SusanTheAverage,


I will be handling your log to help you get cleaned up. I apologize for the delay but the forum is very busy.

As you can see the logs we ask for are very extensive and take a lot of time to investigate.

Please subscribe to this topic. Click on the Watch Topic button, select Immediate Notification and click on proceed.

Please make sure Word Wrap in notepad is turned off. When copying and pasting logs paste them directly in the reply box only attach logs if asked to. Do not wrap logs in codebox or code tags. It makes it very difficult to read and analyze them. Please paste them directly into the reply box.
Please do not make any changes to your system until we are through. Fixes are based upon information that is current from your system so any changes can affect our strategy. Please refrain from running any tools we may use without specific instructions.

If your operating system is Windows Vista or Windows 7 it may be necessary to right click then choose Run as Administrator any programs we use.

Before we begin please check and follow the instructions on How to Show Hidden Files and Folders in Windows Vista and Windows XP and How to show hidden files in Windows 7

Because the e-mail notification system is not completely reliable, please check your topic once a day for responses.

If you have since resolved the original problem you were having, we would appreciate you letting us know.

If you have not done so, [b]include a clear description of the problems you are having
, along with any steps you may have performed so far.


Thanks!!
PW

#5 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:09:16 PM

Posted 08 February 2011 - 09:10 AM

Hello SusanTheAverage,

Step 1.

Please download Malwarebytes' Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2Malwarebytes' may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to this Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes' when done.
Note: If Malwarebytes' encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes' from removing all the malware.


Step 2.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to our sticky topic How to Disable your Security Applications
    Note - If you have AVG or CA installed, due to recent changes in how these AV's target the tool's internal files, they must be uninstalled before running ComboFix. If you have difficulty uninstalling the AV, download Opswat AppRemover http://www.appremover.com/supported-applications <----Important
    Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

In your next reply please include the following:

MBAM log
Combofix.txt



Thanks!!
PW

#6 SusanTheAverage

SusanTheAverage
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:16 PM

Posted 09 February 2011 - 06:11 AM

Malwarebytes didn't find anything.

I'm not ready to commit to using Combofix, what I've read about it here on the forum tells me that it will make changes to my system with or w/out the presence of malware, so I'm not too keen about doing that until I know of someplace where I can go to have my computer fixed if something goes terribly wrong. Is there any other kind of scanner I can use? I still haven't heard back about how to make OTL or GMER work, if that's even possible with windows 7. Thanks!

#7 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:09:16 PM

Posted 10 February 2011 - 09:16 AM

Hi SusanTheAverage,

I apoligise for the delay. Somehow I missed your post.

ComboFix is perfectly safe if used by trained personnel. All of the Malware Response Team members at Bleeping Computer are trained in it's use. :thumbup2:

still haven't heard back about how to make OTL or GMER work, if that's even possible with windows 7. Thanks!

GMER does not work on 64 bit systems which you have. I don't know why DDS didn't work. That is one reason I wanted to see a Combofix report. :thumbup2:

Step 1.

To enable the viewing of Hidden files follow these steps:

1. Close all programs so that you are at your desktop.
Click on the Start button. This is the small round button with the Windows flag in the lower left corner.
Click on the Control Panel menu option.
When the control panel opens you can either be in Classic View or Control Panel Home view:


2. If you are in the Classic View do the following:
Double-click on the Folder Options icon.
Click on the View tab.
Go to step 4.

3. If you are in the Control Panel Home view do the following:
Click on the Appearance and Personalization link .
Click on Show Hidden Files or Folders.
Go to step 4.

4. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
Remove the checkmark from the checkbox labeled Hide extensions for known file types.
Remove the checkmark from the checkbox labeled Hide protected operating system files.
Press the Apply button and then the OK button and shutdown My Computer.
Windows Vista is now configured to show all hidden files.

Next,
  • Click on this link--> virustotal
  • Click the browse button. Copy and paste the following lines in the open box, then click Send File after pasting one line. You will only be able to have one file scanned at a time.

C:\Windows\SysWow64\wh2robo.dll

If the file has been analyzed before, click the Reanalyse File Now button.

Please copy and paste the results of the scan in your next post.


Step 2.

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.

    :OTL
    IE - HKU\S-1-5-21-2723381702-560662278-3974630984-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:59050
    O4 - HKU\S-1-5-21-2723381702-560662278-3974630984-1000..\Run: [EA Core] File not found
    O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] File not found
    O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] File not found
    O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
    O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
    
    :commands
    [EmptyTemp]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.


Step 3.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
Note: If ESET finds nothing there will be no log produced


Step 4.

We need to create another OTL Report
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • One report will open, copy and paste it in a reply here:
  • OTL.txt <-- Will be opened


In your next reply please include the following:

VirusTotal scan results
ESET scan report
OTL.txt



How is your computer running?

Thanks!!
PW

#8 SusanTheAverage

SusanTheAverage
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:16 PM

Posted 11 February 2011 - 12:38 AM

Here's the results. Eset found no threats. My computer seems to be running fine now, the last time MSE reported the trojan was Feb. 7th, but it found another trojan, Win32:/Orsam!rts on the same day and quarantined it, but nothing since that day. I'm no longer getting the settings changed in my browsers to connect through a proxy.

File analysis:

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name:
wh2robo.dll
Submission date:
2011-02-11 01:39:31 (UTC)
Current status:
queued queued analysing finished
Result:
0/ 43 (0.0%)

VT Community

not reviewed
Safety score: -
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2011.02.06.00 2011.02.06 -
AntiVir 7.11.3.40 2011.02.10 -
Antiy-AVL 2.0.3.7 2011.02.10 -
Avast 4.8.1351.0 2011.02.10 -
Avast5 5.0.677.0 2011.02.10 -
AVG 10.0.0.1190 2011.02.10 -
BitDefender 7.2 2011.02.11 -
CAT-QuickHeal 11.00 2011.02.10 -
ClamAV 0.96.4.0 2011.02.10 -
Commtouch 5.2.11.5 2011.02.10 -
Comodo 7645 2011.02.10 -
DrWeb 5.0.2.03300 2011.02.11 -
Emsisoft 5.1.0.2 2011.02.10 -
eSafe 7.0.17.0 2011.02.10 -
eTrust-Vet 36.1.8152 2011.02.10 -
F-Prot 4.6.2.117 2011.02.04 -
F-Secure 9.0.16160.0 2011.02.10 -
Fortinet 4.2.254.0 2011.02.10 -
GData 21 2011.02.11 -
Ikarus T3.1.1.97.0 2011.02.10 -
Jiangmin 13.0.900 2011.02.10 -
K7AntiVirus 9.83.3813 2011.02.10 -
Kaspersky 7.0.0.125 2011.02.11 -
McAfee 5.400.0.1158 2011.02.11 -
McAfee-GW-Edition 2010.1C 2011.02.11 -
Microsoft 1.6502 2011.02.10 -
NOD32 5863 2011.02.10 -
Norman 6.07.03 2011.02.10 -
nProtect 2011-01-27.01 2011.02.02 -
Panda 10.0.3.5 2011.02.10 -
PCTools 7.0.3.5 2011.02.10 -
Prevx 3.0 2011.02.11 -
Rising 23.44.03.05 2011.02.10 -
Sophos 4.61.0 2011.02.11 -
SUPERAntiSpyware 4.40.0.1006 2011.02.11 -
Symantec 20101.3.0.103 2011.02.11 -
TheHacker 6.7.0.1.126 2011.02.10 -
TrendMicro 9.200.0.1012 2011.02.10 -
TrendMicro-HouseCall 9.200.0.1012 2011.02.11 -
VBA32 3.12.14.3 2011.02.10 -
VIPRE 8377 2011.02.11 -
ViRobot 2011.2.10.4303 2011.02.11 -
VirusBuster 13.6.193.0 2011.02.10 -
Additional information
Show all
MD5 : 90ad1c3483cb6515c0d5c687190b2363
SHA1 : 6a5ff5cd54599d030bc2e4ff8c8ff0d8fd55e4fd
SHA256: bbfe1f9cff8fc9d8bad53c75e32a5ef3d9c4a11fac2aebcfb95fc5d2342e8020


OTL report:


All processes killed
========== OTL ==========
HKU\S-1-5-21-2723381702-560662278-3974630984-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
Registry value HKEY_USERS\S-1-5-21-2723381702-560662278-3974630984-1000\Software\Microsoft\Windows\CurrentVersion\Run\\EA Core deleted successfully.
Registry value HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\RunOnce\\mctadmin deleted successfully.
Registry value HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\RunOnce\\mctadmin deleted successfully.
64bit-Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 41620 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Owner
->Temp folder emptied: 916958367 bytes
->Temporary Internet Files folder emptied: 214549879 bytes
->Java cache emptied: 48714253 bytes
->FireFox cache emptied: 38994096 bytes
->Flash cache emptied: 44096 bytes

User: Public

User: Sunet Systems
->Temp folder emptied: 173657182 bytes
->Temporary Internet Files folder emptied: 633709839 bytes
->Java cache emptied: 65475682 bytes
->FireFox cache emptied: 58999110 bytes
->Google Chrome cache emptied: 345917162 bytes
->Flash cache emptied: 205866 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 426462 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 84659 bytes
RecycleBin emptied: 1038819353 bytes

Total Files Cleaned = 3,373.00 mb


OTL by OldTimer - Version 3.2.20.6 log created on 02102011_194347

Files\Folders moved on Reboot...
File move failed. C:\Users\Sunet Systems\AppData\Local\Temp\FXSAPIDebugLogFile.txt scheduled to be moved on reboot.
File move failed. C:\Users\Sunet Systems\AppData\Local\Mozilla\Firefox\Profiles\z08xinr5.default\Cache\_CACHE_001_ scheduled to be moved on reboot.
File move failed. C:\Users\Sunet Systems\AppData\Local\Mozilla\Firefox\Profiles\z08xinr5.default\Cache\_CACHE_002_ scheduled to be moved on reboot.
File move failed. C:\Users\Sunet Systems\AppData\Local\Mozilla\Firefox\Profiles\z08xinr5.default\Cache\_CACHE_003_ scheduled to be moved on reboot.
File move failed. C:\Users\Sunet Systems\AppData\Local\Mozilla\Firefox\Profiles\z08xinr5.default\Cache\_CACHE_MAP_ scheduled to be moved on reboot.
File move failed. C:\Users\Sunet Systems\AppData\Local\Mozilla\Firefox\Profiles\z08xinr5.default\urlclassifier3.sqlite scheduled to be moved on reboot.

Registry entries deleted on Reboot...

#9 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:09:16 PM

Posted 11 February 2011 - 04:25 AM

Hi SusanTheAverage,

Any infections you may have had seem to have been taken care of. :thumbup2:


We need to do a little house cleaning.

Step 1.

You can now re-hide files and folders. Please reverse the steps in post #7 to re-hide files and folders.


Step 2.

Please open OTL
  • Double click on the Posted Image icon on your desktop.
  • Click the "Cleanup" checkbox.
  • You will be asked, "Begin Cleanup Process"
  • Select Yes
  • You will be prompted to restart your computer.
You can now uninstall any other programs we may have used and delete any logs that may have been generated.

Step 3.

Here are some steps to follow in order to dramatically lower the chances of reinfection. You may have already implemented some of them, however, by following the rest of them you will reduce the risk of becoming re-infected.

It is critical to stay up to date with the latest upgrades to your Operating System, as this can help prevent future problems. You can find microsoft updates here

I recommend that you visit the link above and either enable 'Automatic Updates' under Start | Control Panel | Automatic Updates, or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

New viruses come out every minute, so it is essential that you keep your antivirus program updated and have the latest signatures to provide you with the best possible protection from malicious software.
Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.

Make sure you use a firewall. A tutorial on understanding and using firewalls may be found here. For most users the built in Windows Firewall is sufficient. Only use one firewall at a time though.

Install Spyware Blaster and update it regularly
If you wish, the commercial version provides automatic updating.

Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
SuperAntiSpyware is another good scanner with high detection and removal rates. Both programs are free for non commercial home use but provide
a resident and do not nag if you purchase the paid versions. I personally prefer and highly recommend the licensed version of MBAM.

Please read and follow How did I get infected?, With steps so it does not happen again! as well as How to prevent Malware by Miekiemoes

If you have any questions please do not hesitate to ask.



Thanks!!
PW

#10 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:09:16 PM

Posted 14 February 2011 - 03:19 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
PW




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users