Win32:Cycler-G

system · July 3, 2010, 12:10am

no, the system didn’t reboot itself.
actually, I did restart it after running the bootkit, bcs the combofix was not running

…

after the fixmbr, windows just said it was done successfully.
but then, trying to access the OS… it just didn’t work.

system · July 3, 2010, 2:13am

Do you have your Windows XP CD? If you do, you should be able to repair both partitions. If you can’t repair both partitions in C: and D:, then start over from scratch by re-formating both drives and re-installing the OS, however you will lose your personal data (documents, pictures, etc.).

essexboy · July 3, 2010, 10:58am

Hi we are still working on this one as it is less than a week old - we have devised a different method to replace the MBR as the remover has not proved to be one hundred percent effective

Hiren’s BootCD

*** Please print these instructions ***
[*]Download Hiren’s BootCD 10.2 Iso to the desktop of a clean computer.[*]Extract the zipped HirensBootCD.zip to your desktop.[*]Open the extracted HirensBootCD folder and extract the zipped HirensBootCD.iso. [*]Double click the BurnToCD.cmd bat file contained in the HirensBootCD folder. This will launch BurnCDCC.[*]Insert a blank CD in your drive.[*]Press Start. This will burn the image to disc. After it has completed…[*]Restart your sick computer and boot from the HBCD you created.[list]
[*]If your PC is not booting from the CD, you need to change the boot order:[list][*]Restart your PC[*] As soon as you get an image, press the Setup key. This is usually F2, F10, F12 or Del. On some machines the key can also be a different one. It should, however, be stated on the screen which key is the setup key.[*] Once you enter the computer’s BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change.[*] Navigate to the tab, where you can set the boot order. It should be called Boot or Boot order[*] The tab should now show your current boot order.[*]If the CD-drive is not at the top, please navigate to the CD-Rom drive with the keys arrows. Then move it to the top of the list. The keys for switching boot position are usually + to move up and - to move down. However they can be different, but they should be stated in the help, so that you can find them easily.[*] Once the CD-drive is on top of the boot order, navigate to Exit and select Exit saving changes.[*]Your PC should now boot from your CD.[*]Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.[/list][*]When the CD boots choose “DOS BootCD”.[/list]

http://noahdfear.net/10.2_startup.gif

At the Hiren’s BootCD main menu, select Next and hit Enter.

http://noahdfear.net/main_menu.gif

At the second menu select 1 MBR (Master Boot Record)Tools

http://noahdfear.net/menu2.gif

In the list of MBR Tools select 1 MBR Work 1.08

http://noahdfear.net/mbr_tool.gif

This screen will show the hard drive configuration.

http://noahdfear.net/mbr_tool_fix.gif

Type 5 to Install standard MBR code then hit Enter
Type 1 to select Standard then hit Enter
Type Y then hit Enter to confirm
Type E then hit Enter to exit
Press Ctrl+Alt+Del to restart the machine

system · July 3, 2010, 1:37pm

Jtaylor - I don’t have the xp cd.

Essexboy - I’m doing it today and then I come here to share the results with you.

thanks

essexboy · July 3, 2010, 1:42pm

Unfortunately as you are one of the first dozen or so to get this variant we are still trying to figure it out. We have found that one variant corrupts the MBR if it is overwritten - hence working outside of windows

system · July 3, 2010, 6:46pm

bad luck!
now I’m just downloading that hiren’s boot cd.
hope it works!

essexboy · July 4, 2010, 10:32am

Make sure you get version 10.2 as the latter ones are not as easy to use

system · July 4, 2010, 1:20pm

done.
just the way you said.

essexboy · July 4, 2010, 2:12pm

Let me know if it fixes it - as I am changing my tactics on this one as I get more data

system · July 4, 2010, 5:07pm

sure!
but unfortunately I’ll try to fix it only tomorrow.
I’ve been in a hurry this weekend and didn’t buy any cd - mine r all whit data!
I work for the federal judiciary here in Brazil and there is an assistant there that deals with IT.
I’ll ask him to burn me the cd.
be sure I’ll share the results with you tomorrow.
thks again.

system · July 4, 2010, 6:44pm

Hi Guys,

I had a similar problem as our friend here although, according to hitman pro, the virus name was “trojan win32.Vilsel!Ik” .
Same symptoms as the Win32 Cycler-G variant though. Ad pop ups and at random it would mute the wave volume. Same location of the infected files aswell.

Now i couldn’t find any information on the internet about a removal procedure. Already tried combofix but didn’t work. And after booting into the recovery console and deleting the files the hard way, only to find em in place on the next reboot, i figured i could use some help.

Well this thread was very close to my problems so i went for the procedure Essexboy posted. After using remover.exe for the first time it showed the MBR status of both my hard drives were similar as with hslemes… unkown boot status. The fix.bat file fixed it perfectly. And after running Combofix again the problem was solved. ive attached the combofix log file (it is in Dutch though but the information remains the same as in English so have fun translating ).

To Essexboy: Cheers m8 it worked! Ur a lifesaver! 8)

If u guys get any posts regarding the virus “trojan win32.Vilsel!Ik” i can say first hand this is the way to deal with it. Hope this info will be of some use in the future.

To hslemes:

Good luck with getting your system up and running again!

Ow and did u make sure u got all your anti virus programs turned off before using Combofix (it will give u a warning if any is active) that might be the cause of the misfunction of the program.

Cheers!

essexboy · July 4, 2010, 8:35pm

@M.r.k
Glad it worked, at the moment though we are only getting a 75% success rate with remover. There is one variant that wipes the MBR if fixed from within windows. So far I am the only one to have come across that - typical.

@hslemes
Ta - as you haven’t yet burnt the cd I have just been informed that 10.2 has now been removed and the replacement is 10.6. All on the same page

system · July 4, 2010, 9:49pm

/MRK - Combofix was used the way it should be.
the problem appeared after overwriting the MBR - the OS just crashed.

by the way, congratulations for beating Brazil in the worldcup!

/Essexboy - I’ve already downloaded the 10.2 version.

essexboy · July 4, 2010, 10:03pm

OK that will work - I was under the impression it was no longer available

system · July 5, 2010, 11:20pm

Essexboy

Unfortunately it didn’t work.
I’ve just done everything you told me to do.
After all these steps listed below, I was redirected to R:\TOOLS>.
Then I pressed ctrl+alt+del to restart the machine.
And things are the same way as before.

Is there anything else to try with the Hiren’sBootCD??

essexboy post:23:

Hi we are still working on this one as it is less than a week old - we have devised a different method to replace the MBR as the remover has not proved to be one hundred percent effective

Hiren’s BootCD

*** Please print these instructions ***
[*]Download Hiren’s BootCD 10.2 Iso to the desktop of a clean computer.[*]Extract the zipped HirensBootCD.zip to your desktop.[*]Open the extracted HirensBootCD folder and extract the zipped HirensBootCD.iso. [*]Double click the BurnToCD.cmd bat file contained in the HirensBootCD folder. This will launch BurnCDCC.[*]Insert a blank CD in your drive.[*]Press Start. This will burn the image to disc. After it has completed…[*]Restart your sick computer and boot from the HBCD you created.[list]
[*]If your PC is not booting from the CD, you need to change the boot order:[list][*]Restart your PC[*] As soon as you get an image, press the Setup key. This is usually F2, F10, F12 or Del. On some machines the key can also be a different one. It should, however, be stated on the screen which key is the setup key.[*] Once you enter the computer’s BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change.[*] Navigate to the tab, where you can set the boot order. It should be called Boot or Boot order[*] The tab should now show your current boot order.[*]If the CD-drive is not at the top, please navigate to the CD-Rom drive with the keys arrows. Then move it to the top of the list. The keys for switching boot position are usually + to move up and - to move down. However they can be different, but they should be stated in the help, so that you can find them easily.[*] Once the CD-drive is on top of the boot order, navigate to Exit and select Exit saving changes.[*]Your PC should now boot from your CD.[*]Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.[/list][*]When the CD boots choose “DOS BootCD”.[/list]

http://noahdfear.net/10.2_startup.gif

At the Hiren’s BootCD main menu, select Next and hit Enter.

http://noahdfear.net/main_menu.gif

At the second menu select 1 MBR (Master Boot Record)Tools

http://noahdfear.net/menu2.gif

In the list of MBR Tools select 1 MBR Work 1.08

http://noahdfear.net/mbr_tool.gif

This screen will show the hard drive configuration.

http://noahdfear.net/mbr_tool_fix.gif

Type 5 to Install standard MBR code then hit Enter
Type 1 to select Standard then hit Enter
Type Y then hit Enter to confirm
Type E then hit Enter to exit
Press Ctrl+Alt+Del to restart the machine

essexboy · July 6, 2010, 7:31pm

One other option is a repair install - details are here http://www.geekstogo.com/forum/index.php?showtopic=138 no data will be lost using this method but the MBR will possibly still need to be repaired. However, there is a programme author who is currently writting a fix for this, the tool is nearly ready. I am currently trialling it in another thread

system · July 6, 2010, 11:34pm

gosh!
it didn’t work too.
hahah
the XP was just repaired… but it still the same.
guess I have no choice - I’ll have to format my computer.
hopefully I believe I can make a backup of my files just using my HD in slave mode…

essexboy · July 7, 2010, 7:20pm

I can give you details of a live cd which will enable you to back up your files if you wish. The new tool is getting its first run today on another of my threads, the developer thinks he has it cracked

system · July 8, 2010, 2:12am

seems to be interesting.
it would be nice if you tell me.
I was intended to format my computer tomorrow.
but I’m ready to try this new tool.

essexboy · July 8, 2010, 7:01pm

This will give you a windows XP on a disc and will allow you to backup to either USB stick or USB drive all data that you require. There are two variants one with internet drivers and the other without. There will be no need to run the OTLPE portion as you will just be backing up data. The MBR fixing tool unfortunately can only be used during the first stage of the infection when access to windows is available

Please print these instruction out so that you know what you are doing

Version: 3.1.39.0

OTLPEStd.exe
Size: 97,708,316b / 93.1Mb
MD5: F4ACAB8DE63303135A74B407EB302396

OTLPENet.exe
Size: 126,844,958b / 120.9Mb
MD5: 87ADEDE97C0E18F5B4A7C18C6C1C2017

[*]Download OTLPEStd.exe to your desktop
[*]Download OTLPENet.exe to your desktop
[*]Ensure that you have a blank CD in the drive
[*]Double click OTLPEStd.exe and this will then open imgburn to burn the file to CD
[*]Double click OTLPENet.exe and this will then open imgburn to burn the file to CD

[*]Reboot your system using the boot CD you just created.
Note : If you do not know how to set your computer to boot from CD follow the steps here
[*]As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads

[*]Your system should now display a Reatogo desktop.
Note : as you are running from CD it is not exactly speedy

Win32:Cycler-G

Announcements