Trojan Cycler Issue

[tigersfan]

i am having trouble getting rid of 4 infections when i run my malwarebytes scan. they keep coming back

any help would be appreciated i noticed another thread with the same title as i made mine and i seem to be having the same problems as the other person.

here is my latest scan log

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4309

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

7/13/2010 11:46:18 AM

mbam-log-2010-07-13 (11-46-18).txt

Scan type: Quick scan

Objects scanned: 134240

Time elapsed: 15 minute(s), 56 second(s)

Memory Processes Infected: 2

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

C:\System Volume Information\Microsoft\services.exe (Trojan.Cycler) -> Failed to unload process.

C:\System Volume Information\Microsoft\smss.exe (Trojan.Cycler) -> Failed to unload process.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\System volume information\Microsoft\services.exe (Trojan.Cycler) -> Delete on reboot.

C:\System volume information\Microsoft\smss.exe (Trojan.Cycler) -> Delete on reboot.

[tigersfan]

wanted to add that i also get IE popups and i dont even have IE open.

i use firefox 99% of the time

seems something is going on

i also get a popup asking me that IE is not my default browser would you like to make it? i always click no and it still comes back

[tigersfan]

did i post this in the correct forum?

thank you

[Maniac]

Hello tigersfan! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

• The process of cleaning your system may take some time, so please be patient.
  
• Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  
• Stay with the thread until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  
• Instructions that I give are for your system only!
  
• If you don't know or can't understand something please ask.
  
• Do not install or uninstall any software or hardware, while work on.
  
• Keep me informed about any changes.
  

Please follow these instructions and post all logs if you can:

http://forums.malwarebytes.org/index.php?showtopic=9573

[tigersfan]

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4309

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

7/13/2010 2:13:37 PM

mbam-log-2010-07-13 (14-13-37).txt

Scan type: Quick scan

Objects scanned: 134136

Time elapsed: 17 minute(s), 21 second(s)

Memory Processes Infected: 2

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

C:\System Volume Information\Microsoft\services.exe (Trojan.Cycler) -> Failed to unload process.

C:\System Volume Information\Microsoft\smss.exe (Trojan.Cycler) -> Failed to unload process.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\System volume information\Microsoft\services.exe (Trojan.Cycler) -> Delete on reboot.

C:\System volume information\Microsoft\smss.exe (Trojan.Cycler) -> Delete on reboot.

[Maniac]

I have it already. What about Defogger? What about DDS? GMER?

[tigersfan]

running my antivirus full scan like the thread says to

not on the defogger step yet

[tigersfan]

just tried the defogger and a log came up

i put my name in the ( ) as it showed my real name

defogger_disable by jpshortstuff (23.02.10.1)

Log created at 15:56 on 13/07/2010 (my name )

Checking for autostart values...

HKCU\~\Run values retrieved.

HKLM\~\Run values retrieved.

Checking for services/drivers...

-=E.O.F=-

[tigersfan]

should i continue to the next step?

[tigersfan]

ok here is the DDS log

DDS (Ver_10-03-17.01) - NTFSx86

Run by Jason Mehring at 16:05:03.48 on Tue 07/13/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.480.91 [GMT -4:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

c:\Program Files\Microsoft Security Essentials\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\WINDOWS\system32\svchost.exe -k hpdevmgmt

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\WINDOWS\system32\S3tray2.exe

C:\Program Files\Microsoft Security Essentials\msseces.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\Jason Mehring\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [s3TRAY2] S3tray2.exe

mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10d.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - c:\program files\bodog poker\BPGame.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll

Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jasonm~1\applic~1\mozilla\firefox\profiles\yqmm1obw.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]

S0 edbw;edbw;c:\windows\system32\drivers\fucmu.sys --> c:\windows\system32\drivers\fucmu.sys [?]

S3 SMC1211;SMC EZ Card 10/100 PCI (SMC1211 Series) NT 5.0 Driver;c:\windows\system32\drivers\SMC1211.sys [2001-7-11 23153]

=============== Created Last 30 ================

2010-07-13 19:53:51 0 ----a-w- c:\documents and settings\jason mehring\defogger_reenable

2010-07-13 05:58:56 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-07-12 22:12:40 3840 ----a-w- c:\windows\system32\drivers\BANTExt.sys

2010-07-12 22:12:40 0 d-----w- c:\program files\Belarc

2010-07-12 17:28:30 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL

2010-07-06 21:30:06 0 dc-h--w- c:\windows\ie8

2010-07-06 21:27:21 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2010-07-06 20:53:00 274288 ----a-w- c:\windows\system32\mucltui.dll

2010-07-06 20:53:00 215920 ----a-w- c:\windows\system32\muweb.dll

2010-07-06 20:53:00 16736 ----a-w- c:\windows\system32\mucltui.dll.mui

2010-07-06 17:43:20 0 d-----w- C:\temp

2010-07-03 20:46:38 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-07-03 20:43:20 0 d-----w- c:\program files\Microsoft Security Essentials

2010-07-03 02:04:26 552 ----a-w- c:\windows\system32\d3d8caps.dat

2010-07-01 19:06:43 335 ----a-w- c:\windows\mozregistry.dat

2010-07-01 13:13:04 15360 ---ha-r- c:\windows\system32\drivers\NetMotCM.sys

2010-06-29 03:32:36 189 ----a-w- c:\documents and settings\jason mehring\peek.bat

2010-06-28 20:04:51 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9

2010-06-28 03:03:15 0 d-----w- c:\docume~1\alluse~1\applic~1\Comodo Downloader

2010-06-24 15:27:29 423656 ----a-w- c:\windows\system32\deployJava1.dll

==================== Find3M ====================

2010-06-28 19:52:03 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat

2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll

2008-09-04 06:05:41 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090420080905\index.dat

============= FINISH: 16:05:51.10 ===============

[tigersfan]

Attach.zip

Attach.zip

[Maniac]

Please collect everything in one post and then post them.

1. Download Bootkit Remover (note: it's a RAR archived file so you have to install compatible program, like 7-Zip if there's not one installed).

2. Extract the contents to own folder (BRemover folder) on your desktop.

3. Click start->run->type cmd.exe and press enter.

4. In command prompt type this (I assume you extracted folder contents to BRemover folder on your desktop):

"%userprofile%\desktop\Bremover\remover.exe" >"%userprofile%\desktop\logit.txt"

5. Press enter once more to bring cursor back visible after entering the command above. After that operation there should be logit.txt file on your desktop. Attach it to your post, please.

[tigersfan]

the gmer is still running so i thought i would post what i had

sorry

and about

2. Extract the contents to own folder (BRemover folder) on your desktop.

i don't think i know how to do that?

[Maniac]

You need a software for this action. See here:

http://www.binaries4all.com/7zip/

[tigersfan]

ok if i did it correctly will 2 read me files show up on my desktop along with the remover.exe window

thats what happened when i right clicked bootkit on my desktop and went to 7zip and chose extract here

[tigersfan]

ark.zip

[tigersfan]

i typed the cmd in and nothing

say cant find it

log file was blank as well that was on my desktop after i closed out the black window

[tigersfan]

i typed the cmd in and nothing

but im not sure if i extracted them correctly

say cant find it

log file was blank as well that was on my desktop after i closed out the black window

[Maniac]

Click start->run... and type:

cmd

[tigersfan]

the system cannot find the path specified.

[tigersfan]

can you read post #15 and let me know if i did the extracting correctly?

or did i do it incorrect?

[Maniac]

You kidding me....

See here:

http://www.computerhope.com/issues/chdos.htm#01

We need command prompt.

[tigersfan]

yes i know how to go to start run and enter cmd and get the black window open and type what you told me

i when i did it told me

the system cannot find the path specified.

so i don't get what you are saying when you say are you kidding me?

thank you

[Maniac]

Try again with:

"%userprofile%\desktop\bootkit_remover\remover.exe" >"%userprofile%\desktop\logit.txt"

When you extract the archive, the folder should be bootkit_remover and in it should be remover.exe

[tigersfan]

i typed it in exactly how it shows

"%userprofile%\desktop\bootkit_remover\remover.exe" >"%userprofile%\desktop\logit.txt"

then i hit enter

i get this

the system cannot find the path specified.

C:\Documents and Settings\Jason Mehring>

am i typing it wrong or not putting a space maybe where a space should be?