Help to manually remove backdoor.zyklobot

maru · Dec 1, 2006

Hello!

First post on this board, I'm needing some advice to remove the last nasty piece of malware on my pc.

I let some friend of mine to go online using my windows 2000 Administrator account (i made a huge mistake and kept a weak password on that account), just to find out later he had disabled the firewall (Kerio Personal firewall, unregistered), and used Internet Explorer instead of Firefox.

Bottom line, i cleaned everything except for backdoor.zyklobot, which can't be detected with any antispyware or antivirus i've tried, not even in safe mode. I found out it was there because some proces was trying to execute
WINNT$\system32\drivers\knlps\nul\usr\bin\_0_mbt.exe
and it corresponds only to this trojan.

The knlps directory doesn't show up in windows (safe or normal), and i can't cd to it from the command line, or list the directory contents. (it says 'Access is denied' or 'File not found').

I booted from my linux partition (SuSe 10.1 x64), which is currently offline due to some hardware incompatibility with the modem my isp provided recently. There i could cd into that directory and could even read the files the trojan has dropped. But ntfs is read only under linux (and i don't dare to risk my filesystem structure using experimental ntfs write).

At the moment i have blocked all risky ports, and don't allow unknown programs to be executed, using my software firewall. It is a temporary solution just to find some help online...

I hope i didn't forget to mention anything... What do you guys suggest? What else could I try?

Thanks in advance,

Maru-

edit: typo.

DavidGP · Dec 1, 2006

Hi Maru and welcome to the forum

While you look as if you know what your doing on a PC, I would still advise running our first steps guide and attaching the logs as they will highlight all malware on the PC and give us a full picture to look at then advise on best cause of action.

Our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

Make sure you check version numbers and get all updates.

Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.

When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:

CounterSpy

AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy

Bitdefender - from step 6

Panda Scan - from step 6

runkeys.txt - the log from GetRunKey.bat

newfiles.txt - the log from ShowNew.bat

HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs![/B

Log in or Sign up

Help to manually remove backdoor.zyklobot

maru Private E-2

DavidGP MajorGeeks Forum Administrator - Grand Pooh-Bah Staff Member