Solved backdoor win32 cycbot.b

[FCUSA]

Try going to Start / Computer / System Properties and seeing what it tells you. That's how it would work in Vista and I hope it's the same in Windows 7.

That worked - it is also 64 bit.

Thank you!

 

[Lorien]

That's how it would work in Vista. That's a mite extreme, but I can certainly understand why you are being cautious given recent events.

Also, remember if you do use Revo, you need the Pro version and not the freeware version (and to avoid paying for it, you will need to cancel during the 30-day free trial) - but it will get you past this if necessary.

 

[FCUSA]

In your professional opinion, do you think I am fine with Trend Micro until (and only until) we complete issues with the infected computer? I ask this only in the event I do have a problem while changing the security systems? (I can't afford to buy another computer this week

 

[Lorien]

If you setup Windows Firewall, then for a few days or even a week or so, you should be fine with Trend. It's not my first choice (or even on my list), but it's not so bad that you're unprotected. Is it free with the system or only a trial? How long is the trial? Make sure you update it manually so it has all the current definitions and set it so it automatically updates daily until you do change. Run a full scan after the update to make certain it isn't already infected (even if it is new). Make sure it is working in real time and using its best security scanning options (which may not be the default).

Also, if you do that, download Malwarebytes (you don't have to uninstall Trend to use this program) and run it at least weekly in a full scan (after updating it each time) as added protection until MSE is up and running.

Take care.

 

[FCUSA]

Thanks for that info - I will check everything as recommended and then start on the other computer.

Trend Micro was 'included' with the purchase - it is actually good for 1 year and is the Titanium Maximum Security edition ver 3.0. Doesn't give you a warm & cozy feeling when you go to the site and see the first 'hot issue' being that it is turning itself on & off automatically!

The first question I asked the Tech 'Is it easy to uninstall' - it raised a brow, but not too much of one which I took as 'I understand - not my first choice either'.

I was already too beat up to negotiate any of this! I'm certain I made their day! Nice little Toshiba though.

Thanks for that input and if I do not get the opportunity, have a Merry Christmas!

 

[Lorien]

Would you mind giving me the make and specific and complete model number so I can look it up - I'm interested to see what you got? And besides 64-bit, what version of W7 did you get (Home Premium, Professional, or Ultimate)?

And Merry X-Mas and Happy New Year to you (just in case).

 

[FCUSA]

This cannot be real! I just installed and ran MBAM full scan - log attached!

PUM.Hijack.StartMenu

Registry (category)

 

[Lorien]

I'm not an expert, but I think this is a false positive. Let me get someone else to take a look. Hang tight.

 

[FCUSA]

Would you mind giving me the make and specific and complete model number so I can look it up - I'm interested to see what you got? And besides 64-bit, what version of W7 did you get (Home Premium, Professional, or Ultimate)?

And Merry X-Mas and Happy New Year to you (just in case).

I am so sorry I did not see this post as we had everything shut down while performing the changes and scans etc.

Toshiba
Satellite L645D
AMD Turion II P540 Dual-Core Processor 2.40 GHz
4GB Ram
64-bit OS

Windows 7 Home Premium

 

[Lorien]

He's offline now (& Jacee's on holiday till who knows when), but I think he'll be back today and should see my PM and check it out and hopefully confirm my opinion - but I could be wrong so we need to wait and see.

Nice little computer. You should enjoy it.

Take a couple of Valium and wait until he returns and replies. Be patient.

 

[FCUSA]

I would if I had them!!!!!! Heaven (& you) knows I need something right now.

What on earth is a 'false positive' (aside from the obvious statement? Does that happen often? It did not come up in quick scan, but I did a full scan and viola!

While on this subject - when we ran MBAM, it did ask for Admin Password to run, but when it came to the log, it told me I was not authorized to save it in the log - I had to save it in 'my docs' as txt file. Why wouldn't it allow me access to save the file if I already gave permission to run it?

 

[Lorien]

It's nothing more than the obvious - it's a file or entry that causes the initial scan to see it as a potential infection, but the later analysis seems to show it was considered 'good' and therefore no action was taken. That's why I think it was a false positive. It came up on the full scan and not the quick scan because obviously that file or entry is not checked during a quick scan. It doesn't happen very often - this is in fact the first time I've seen it in months - maybe even more than a year. But you have Windows 7 and I don't know how often it occurs with that system (or whatever is installed on the computer you bought). But don't forget, and I hate to harp on this, but I'm not an expert and I'm not certain here - so we need to wait for confirmation or perhaps for further testing or for bad news (I'm sorry, but I simply am not 100% certain).

Being able to run a file and being able to create and save a new file to a directory are two different things and require different permissions. It's not unusual. I've never had this problem myself with MBAM logs, so I suspect that your security is set different or tighter than mine (perhaps another difference with W7 or maybe a Toshiba default setting). The important thing is you were able to save it and post it even if not in the same directory as MBAM. If it were Vista, here are the types of permissions you can have: http://windows.microsoft.com/en-US/windows-vista/What-are-permissions.

Hope this helps.

Good luck!

 

[FCUSA]

I saw that about 'good' and 'bad' and was totally baffled! So, I wait.

 

[niemiro]

Hello!

It is nothing to worry about, and not a virus, but it is not quite a False Positive either. In your case it is, but not always.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.

Good and Bad confuses a lot of people. It means that the value of 0 is malicious, but 1 is good, and so MBAM will change the 0 to a 1. What it is, to what it should be.

All that registry key is, is a setting. There is a new virus which disables most things: Documents, Search, Pictures, and makes the start menu very empty! MBAM puts these start menu items back. Your computer has one of these settings set. This does not mean that your have Trojan.Fakealert, just that your computer was personalised in the factory. If you want the search bar, let MBAM fix it, otherwise tell MBAM to permanently ignore it.

Good luck!

Richard

P.S. Thread is here, but it isn't particularly easy to understand! http://forums.malwarebytes.org/index.php?showtopic=4786&pid=19168&mode=threaded&start=#entry19168

 

[FCUSA]

Good Day, Richard

Thank you for your response. I will review the thread you mention. I did look around SF last night and saw another F/P post - yes, it is all very confusing.

MBAM currently has it in Quarantine and quite frankly, uncertain if it should be deleted or restored. Does it help to know that the computer was purchased at Best Buy and they have their 'stuff' coming up automatically at start up. Now that I am thinking about it, I am not sure it came up this morning - I'll have to reboot to pay attention. Is that the type of 'factory personalization' you are referring to? Additionally, 'what search bar' are you referring to?

Thank you so much on this holiday morning! Merry Christmas to you.

 

[FCUSA]

Ok - I did reboot and the Best Buy ads are not automatically loading - yeah!! Toshiba has a 'sidebar' app (not sure what it is for yet), but it is still there; and Toshiba also has a 'reel time' app at the bottom and that still works.

I did review the thread at MBAM and you are right it was quite cryptic to me, but made more sense with the info I received on this Forum.

 

[Lorien]

Hi FCUSA,

We can lose a lot of that Toshiba crap and other unnecessary programs and setup a good maintenance routine for your system. I've amended this as much as I could so it would apply to Windows 7 (but bear in mind that I'm not a Windows 7 expert, so I may have missed a few things - so unless it specifically says it is for Windows 7, be sure it applies to Windows 7 and that you choose the proper version (64-bit may differ from 32-bit for some programs - or may not even be available - I honestly didn't check every link but you should until you verify it clearly applies in your situation)).

One very important thing to begin – do NOT use any Registry Cleaner or Registry Booster or Enhancer, or Repairer or Fixer software (or whatever it calls itself) no matter what it says (scans will tell you have thousands of errors just to get you to download and install the program or worse, buy it) or where you got it (even safe sites sell these products but they are not worth the headaches they can cause). Most do nothing of value and some can do great harm (to the point where you need to do a clean install to fix the problem – and that’s not even counting the fact that many such programs are actually malware in disguise). Vista keeps the registry clean on its own quite well and doesn’t need any help.

To improve your speed and space, do Disk Cleanup using: Disk Cleanup - Open and Use - Windows 7 Forums. Delete as much as you feel comfortable doing – nothing deleted there will harm your system in any way. This includes deleting the Temporary Internet Files. If you want to keep this from building, go to Tools / Internet Options / Advanced and check the box Empty Temporary Internet Files Folder whenever browser is closed and then that folder will always stay empty (except when you're using the program).

Also do an Optimization: Optimize Windows 7 for better performance. Do all of the options (or at the very least, consider them - many can help a great deal).

At least once every month or so, run CCleaner http://www.piriform.com/ with as many options as you choose to delete (but be careful because this program if not used properly and with caution and with you paying attention to what you are doing can delete important and even critical files that could cause a great deal of trouble). Do NOT check any registry options!!

Clearing out your temporary files can also save you much space and improve performance and while some of the above will clear a lot of the temp files, they won't cover them all. This will. I recommend running it every month or two. It is TFC by Old Timer TFC - Temp File Cleaner by OldTimer - Geeks to Go Forums and you should download and save it to your desktop. When run, it will close everything else, so be sure to save anything you're working on and basically close all your programs. If it asks (and when done even if it doesn't ask), reboot to complete the process.

System Restore can take up to 15% of your partition's space but that can be reduced. It's a trade-off. The less space you allocate, the fewer restore points you will be able to retain - but many people reduce this to save some space while leaving enough to save 3-4 restore points at least (which is usually enough - until you need them). Here's the procedure: http://www.howtogeek.com/howto/5482/make-system-restore-use-less-space-in-windows-7/. I personally use the full 15% myself as I prefer to have the restore points and I have enough space on my drive - but the decision is yours.

THIS IS THE PART I WAS TALKING ABOUT AT FIRST: Go to Start / Search options and type in msconfig and enter and then double click on the program icon that appears. Go to the startup tab and uncheck any program that you don't need starting at startup. That will probably be the majority of items there - if not most of them (some are needed like the AV program and Windows Defender but most are there to make opening the source programs faster and make you think they're more efficient and all those Toshiba programs should be there and if you uncheck them they should go away if you don't want them - remember, all you need to do to return them is to recheck the button - plus those programs will almost certainly open if you select them directly from the Start Menu if you want them - this just prevents them from starting on their own without your OK). This will free up a lot of RAM and help a lot in making your system faster (though perhaps not so much that you'll be able to notice the difference - but maybe depending on how much unnecessary stuff is loading at startup). When I did this on my system I removed over 90% of the entries and suffered no ill effects – to the contrary, I noticed startup was quicker, response times when working were better and I could open more programs at the same time and still have no problems, and shutdown was also faster. To make this work, once done you need to reboot so the new startup procedure will use the new settings and if you got rid of all that Toshiba crap you don't want, it shouldn't show up any more.

You can accomplish some of these tasks (and more that aren't entirely related) by using http://onecare.live.com/site/en-us/center/whatsnew.htm (which also searches for malware). I do this on a monthly basis or so just as a part of normal maintenance and I suggest you do the same (except for the registry cleaner – no not even Microsoft’s own product is entirely safe and the product has been removed from the paying marked for reasons unknown though it’s still available here for now but probably not for long). Make sure you select a full scan (except the registry cleaner) - it will take a few hours (mine can take around 5-6) but can work in the background so start it when it has enough time to complete.

I hope this helps.

Good luck!

P.S. If that file is quarantined, then you should have the search bar it was talking about as it would no longer be being blocked. I'm not quite sure which one it was referring to so I'm not certain how to confirm this (but if you aren't missing a search bar anywhere, then you obviously don't really need it that much even if it is still missing, now do you?).

 

[Lorien]

If you've been on this page for a while, please refresh it as I've edited the prior post extensively.

 

[FCUSA]

Thank you for the maintenance schedule! I did go over to SF yesterday - waiting on my log in.

I cannot express how grateful I am to you and everyone else who has provided assistance and (safe) link info - I would never have found them (or trusted them) on my own.

On your PS - I guess this is a matter of perception as I would have interpreted 'if the file was Quarantined - it was not working/blocked'. Obviously, I need to look at the MBAM Forum more for info on how to read/understand the logs. If indeed it is actually not being blocked, why does it need to be either 'deleted or restored'?

 

[Lorien]

It always provides those options for things in quarantine. Quarantine is a place where it puts questionable items so you have a choice as to what you want to do with the iterm (rather than taking action on its own that you may wish had not happened). While in Quarantine, it's as if the file is deleted as far as the system is concerned (so what it does is blocked and since what it does in this case is block itself, it's that second blocking that isn't happening so the feature that was being blocked should work as the file that blocks it is in Quarantine).

You don't really NEED to do anything - you can just leave it there. But generally people try to identify why it was quarantined and if it is appropriate and you don't want the file, then they tend to delete the file and if it is not appropriate to be in quarantine (and they want the file) they tend to restore it. You don't want a huge list of items in quarantine which each need to be researched. Richard told you the purpose - if you don't want that happening, then delete it. If you do want that happening, restore it (but tell MBAM to ignore it from now on if you decide to keep it).

Good luck!

P.S. This is post #100 in this thread! That makes it one of the longest question/problem resolution threads in the forum (not counting stuff in Chillum). There may be some bigger, but not very many at all. It's hard to believe we spent so much time and effort on it - but I suppose it happened. Amazing!!