Solved backdoor win32 cycbot.b

[Lorien]

Expand the command prompt to the top of the page and then to the bottom of the page and if necessary to the left or right (if it will allow that). Then start at the top and select the area you want (as I did) and snip the contents. If there's more than will fit in one snip, then scroll the command page to the next section and snip that as well until you reach the end (shouldn't be more than 2 or 3 snips).

Good luck!

 

[FCUSA]

Ok - maybe there was a server problem this morning. I took 2 shots and of course the size is larger in each





I am going to try the Dr Web Cureit again in a separate post

 

[FCUSA]

Still cannot do the Dr Web Cureit - that file is 55,128kb (53.8 MB).

Maybe this file is what caused the problem this morning. It shows it as text file.

You must really be tired of me today - I do not know how to zip a file.

 

[Lorien]

I don't think it'll compress to 10MB - so let's just forget that one for now and concentrate instead on getting an MBAM log or report snip. I'm sure the size of that file is what caused the problem before. On second thought, open the file and see if you can isolate and identify the infections it detected and what it did about them. If so, just copy that information only (skipping everything else) and paste it here (or put it in a text file in Notepad and attach the text file - whichever is easier for you) that'll probably be enough for her to figure out what it did.

Your IPCONFIG looks good - you do not have a loopback address but a valid IP address with valid DHCP and DNS server addresses. I see no problems with it. That's good news. Good job getting that done.

Good luck!

P.S. To zip a file, just right click on the file and click Send To and then click Compressed Folder and it will create a folder with that compressed file inside (compressed and zip mean the same thing for our purposes). Not very hard if you know the trick on how to get to the command.

 

[FCUSA]

Lorien -

That is excellent news - thank you so much for reviewing it.

I have a partial of Dr Web Cureit file attached (that went very quick!). I only copied the beginning and up to 'low level...'. I did browse through the rest of the report - very long - but did not see anything like what you are about to look at.

I noticed that the report makes some commets on the top about 'access denied' to the low level' - well I do not have it opened right now but there are more users than the two listed. I ran it while in the affected user as the Administrator.

I still don't know what happened to the file for MBAM - as you saw the settings were correct and it said the log would be accessible in the folder?? Happy to search if you have a suggestion on file name.

 

[Lorien]

If the MBAM log isn't in the log tab, then I have no idea where to search for it. You said it found 5 viruses, so it must have produced a report (which wasn't saved as a log). Please run it again to confirm that it comes up clean and copy the report and post it here (since we don't have a log to attach). That's pretty much the same information and it will do.

I'm not a security expert, so I'm not entirely sure how to interpret that report - but my guess is that it appears to be clean (but I could be wrong - I'm not qualified to analyze it); however, you say you ran it as an administrator but it's saying that it was not an admininstrator which is why it skipped some files. I can't explain that. But let's consider that effort done and if Jacee wants more, she can request additional information.

Thanks and good luck!

 

[FCUSA]

I just did the Search & Destroy and I guess I do have some concern.

It appears to have taken care of 72 out of 73 problems found.

The file mentioned isn't the same name as the file that cannot be found during startup. I am still in Spybot - not quite sure where to go from here.

 

[Lorien]

OK, the file it couldn't resolve is a temp file. Let's get rid of all the temp files. See the post to me when I had a similar issue and follow Jacee's instructions: http://www.vistax64.com/system-security/284475-two-minor-security-questions.html#post1296222.

Good luck!

 

[FCUSA]

Sorry to see you had a similar problem not so long ago. Feel better that it is not much of a concern to you. Should I do the TFC process first and then MBAM? I read some of the threads (and not to get ahead of myself) will I need to download drivers etc.?

 

[Lorien]

The order doesn't matter. You won't need to download drivers, etc (at least not for this part). I can't say for sure in the long run until after Jacee has taken aa look at it. My problem wasn't exactly the same and involved a BSOD which was caused in part by some obsolete drivers - this does not apply here.

 

[FCUSA]

Thank you again for your direction. I'll get working on this.

 

[FCUSA]

sorry for the second note and snapshot. I didn't realize there was another file under the .tmp (and it is a Registry Value) didn't know if you should know about that. Or at least wanted you to see the file.

 

[FCUSA]

Well, I hope I am able to celebrate! I ran the TFC and as you can see in previous post there was something there. I ram MBAM again (and again had some trouble finding the report).

Reboot and same message "Could not load or run C:\users\fcusa\.........\temp.csrss.exe'

Totally disappointed. I ran it again and everything looks good. When I reboot - no message!

Thank you again for you endless patience and assistance. Let me know what you think.

 

[FCUSA]

Quick question - don't want to take any chance considering most recent problem.

McAfee poped up this morning:

Program Want Internet Access
Program: Microsoft Feeds Synchronization
Location: C:\windows\system32\msfeedssync.exe
Recommendation: Unknown program

With the following choices:
Allow Always - Allow Once - Block

I've never seen this ask before (and do not know if it is because some changes have been made during cleaning the virus or if something is trying to get access (even though it says MS)

 

[Lorien]

RSS Feeds are things you can request to keep you updated on certain websites. It's usually an orange box with three white scrolling lines with the smallest at the left an the largest to the right. If you click that you activate feeds from the site and, at least in my case, they go to an RSS Feeds folder in Outlook. I believe this program is attempting to update some existing feed. If you don't use RSS feeds or don't care to use it, then just block it to be on the safe side. I personally find them useful, but if you never requested feeds, then I'm not sure why it would be wanting to synchronize because there should be none to activate the process. It's pretty much up to you - I don't think the program itself is dangerous or that the feeds are dangerous but I'm not sure why you are getting any if none exist (or maybe it's just checking). I personally would allow it - but if you're a bit nervous about such things at the moment and don't use RSS feeds, then block it for your peace of mind.

It looks like MBAM cleared that registry infection - which apparently resolved the error message. I'm still not satisfied your system is completely clean - so I'm now going to PM Jacee to take a look and see what she thinks.

Until she replies, I suppose we are done.

Good work.

If anything pops up be sure to post back so we can be aware of it and consider it in the overall picture.

Good luck!

 

[niemiro]

Hello!

I really think you should either see Jacee or a malware removal website. You should remember that this is a backdoor trojan. This thing is designed to try and steal your credit card details, and hide away from normal antivirus software. I would never ever ever trust this machine again, when we are only running the tools from which it is designed to hide.

As a trainee, I certainly cannot help, as I would get in massive trouble, especially with a trojan considered this dangerous, but if you want to remove that message, you need HiJackThis, and if you want to be sure you are clean, you need more powerful tools for which I would have my throat slit for even naming.

Really sorry I cannot be of more assistance,

Richard

 

[FCUSA]

Thanks again for such a quick response. I left the window up because I don't recall subscribing to any feeds and wondered if it was simply something from when the computer was first set up and changed with recent cleaning done - or in the worst case, something was disquising (that spelling doesn't look right) itself?

I was pleased to get the results to you last night and am keeping my fingers crossed. Everything booted without issue this morning and I was actually reading your recent response about maintenance - thank you for that in depth post.

 

[Lorien]

I have sent a PM to Jacee advising her of the specific trojan involved here and asking her to take a look and see if she's satisfied or feels more is required. If so, I'm sure she will provide you with instructions as are appropriate. As far as I'm concerned, this isn't over until Jacee says that everything is fine.

Good luck!

 

[Lorien]

I received your PM, and I'm responding here so those reading this understand what has been said to you and what has been recommended and to try to explain some of the likely courses of action (and actions you suggested that are probably not going to be required).

Remember the earlier post I sent you with a link to an explanation of this trojan? You said you read it and found it disturbing. It didn't really say much different than what Richard just posted. That's why I'm saying this isn't over until Jacee gives it her blessing. If you were infected, there's a good chance we may have gotten to some of it, but we may not have gotten to all of it. Some believe the only solution is to backup your data and do a clean boot. That may be Jacee's recommendation. In the meantime, you need to consider the ramifications of this infection if it still exists and if it truly infected your system (I'm not entirely certain it did infect you and wasn't caught by your AV software before it could get in, but I don't know and we can't take the chance I'm wrong about that) - they could mean you are compromised and others can access information on your system without your knowledge (or already may have done so). I'm not sure if it's time to push the panic button or not - but it is a very dangerous trojan and it may require extreme measures to eradicate.

In the meantime, changing passwords and such using a different computer would be a good idea (especially to things like bank accounts and your email and messenger account and things like that - but really everything you want to keep safe). And don't use this computer to go to those sites after you've made the changes as it may provide the new passwords. We really need to wait for Jacee to have a look and render an opinion - but these other steps can be done in the meantime (even if it means rendering that computer essentially unusable until Jacee has given you the green light). If the computer stores financial information (like credit card information and online access sites - or something like Quicken or Money), then you may need to consider changing your passwords and even contacting the banks to change the cards to new numbers. The same goes for investment accounts and anything else they could access because they got to the data. In your case they could also have the info from BCM (if it's on this machine) but I'm not certain what to do about that. That all said, it's also possible nobody has any information and you're perfectly fine. I simply don't know but you've been advised of the risks and it's up to you how you want to proceed.

I'm not the expert here, but you've read two items (the link I provided early on and Richard's post) explaining the potential dangers. I'd wait for Jacee before doing a clean install, but I might consider the other steps that were recommended in the post I provided and i'd probably avoid using this PC until Jacee has replied to you about the situation.

I do not believe that the situation is so bad that you must throw away the entire computer and buy a new one. It may be necessary to do a clean install (and we may even need to sacrifice the data - though that typically isn't the case but I'm not certain and we need Jacee to advise you about that) - but I think that will do the trick and you won't need to junk the whole computer. Then again, it may be possible to confirm you weren't really infected (as I said, it may have been caught before it could gain a foothold) or if you were to eradicate whatever remains of it without needing to do a clean install. I simply don't know - but Jacee will give you the correct advice on how to proceed.

Good luck!

 

[Jacee]

Yikes! Sorry I'm late ....

FCUSA, first let's flush your DNS cache, and restore MS's Hosts file.
Copy and paste these lines in Note pad.
@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset all
shutdown -r -t 1
del %0

Save as flush.bat to your desktop. Right click and choose to run as Administrator. Your computer will reboot itself.

Next, download Combofix from any of the links below, and save it to your desktop.<--Important
Link 1
Link 2
Link 3

Click on this link Here to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
Next: Disconnect from the internet. If you are on Cable or DSL, unplug your computer from the modem.
Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

• Right click (run as administrator)combofix.exe and follow the prompts.
• When finished, it will produce a log for you. Post that log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Please be patient while the scan runs, at times it may appear to stall.
When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply.
After rebooting ensure your Security applications have been re-enabled.

In your next reply post:
ComboFix.txt
***A guide and tutorial on "How to use Combofix" can be found here:
A guide and tutorial on using ComboFix