Jump to content

Trojan Cycler Issue


Recommended Posts

i am having trouble getting rid of 4 infections when i run my malwarebytes scan. they keep coming back

any help would be appreciated i noticed another thread with the same title as i made mine and i seem to be having the same problems as the other person.

here is my latest scan log

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4309

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

7/13/2010 11:46:18 AM

mbam-log-2010-07-13 (11-46-18).txt

Scan type: Quick scan

Objects scanned: 134240

Time elapsed: 15 minute(s), 56 second(s)

Memory Processes Infected: 2

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

C:\System Volume Information\Microsoft\services.exe (Trojan.Cycler) -> Failed to unload process.

C:\System Volume Information\Microsoft\smss.exe (Trojan.Cycler) -> Failed to unload process.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\System volume information\Microsoft\services.exe (Trojan.Cycler) -> Delete on reboot.

C:\System volume information\Microsoft\smss.exe (Trojan.Cycler) -> Delete on reboot.

Link to post
Share on other sites

  • Replies 58
  • Created
  • Last Reply

Top Posters In This Topic

Hello tigersfan! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  • Stay with the thread until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.
  • Keep me informed about any changes.

Please follow these instructions and post all logs if you can:

http://forums.malwarebytes.org/index.php?showtopic=9573

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4309

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

7/13/2010 2:13:37 PM

mbam-log-2010-07-13 (14-13-37).txt

Scan type: Quick scan

Objects scanned: 134136

Time elapsed: 17 minute(s), 21 second(s)

Memory Processes Infected: 2

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

C:\System Volume Information\Microsoft\services.exe (Trojan.Cycler) -> Failed to unload process.

C:\System Volume Information\Microsoft\smss.exe (Trojan.Cycler) -> Failed to unload process.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\System volume information\Microsoft\services.exe (Trojan.Cycler) -> Delete on reboot.

C:\System volume information\Microsoft\smss.exe (Trojan.Cycler) -> Delete on reboot.

Link to post
Share on other sites

just tried the defogger and a log came up

i put my name in the ( ) as it showed my real name

defogger_disable by jpshortstuff (23.02.10.1)

Log created at 15:56 on 13/07/2010 (my name )

Checking for autostart values...

HKCU\~\Run values retrieved.

HKLM\~\Run values retrieved.

Checking for services/drivers...

-=E.O.F=-

Link to post
Share on other sites

ok here is the DDS log

DDS (Ver_10-03-17.01) - NTFSx86

Run by Jason Mehring at 16:05:03.48 on Tue 07/13/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.480.91 [GMT -4:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

c:\Program Files\Microsoft Security Essentials\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\WINDOWS\system32\svchost.exe -k hpdevmgmt

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\WINDOWS\system32\S3tray2.exe

C:\Program Files\Microsoft Security Essentials\msseces.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\Jason Mehring\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [s3TRAY2] S3tray2.exe

mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10d.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - c:\program files\bodog poker\BPGame.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll

Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jasonm~1\applic~1\mozilla\firefox\profiles\yqmm1obw.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]

S0 edbw;edbw;c:\windows\system32\drivers\fucmu.sys --> c:\windows\system32\drivers\fucmu.sys [?]

S3 SMC1211;SMC EZ Card 10/100 PCI (SMC1211 Series) NT 5.0 Driver;c:\windows\system32\drivers\SMC1211.sys [2001-7-11 23153]

=============== Created Last 30 ================

2010-07-13 19:53:51 0 ----a-w- c:\documents and settings\jason mehring\defogger_reenable

2010-07-13 05:58:56 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-07-12 22:12:40 3840 ----a-w- c:\windows\system32\drivers\BANTExt.sys

2010-07-12 22:12:40 0 d-----w- c:\program files\Belarc

2010-07-12 17:28:30 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL

2010-07-06 21:30:06 0 dc-h--w- c:\windows\ie8

2010-07-06 21:27:21 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2010-07-06 20:53:00 274288 ----a-w- c:\windows\system32\mucltui.dll

2010-07-06 20:53:00 215920 ----a-w- c:\windows\system32\muweb.dll

2010-07-06 20:53:00 16736 ----a-w- c:\windows\system32\mucltui.dll.mui

2010-07-06 17:43:20 0 d-----w- C:\temp

2010-07-03 20:46:38 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-07-03 20:43:20 0 d-----w- c:\program files\Microsoft Security Essentials

2010-07-03 02:04:26 552 ----a-w- c:\windows\system32\d3d8caps.dat

2010-07-01 19:06:43 335 ----a-w- c:\windows\mozregistry.dat

2010-07-01 13:13:04 15360 ---ha-r- c:\windows\system32\drivers\NetMotCM.sys

2010-06-29 03:32:36 189 ----a-w- c:\documents and settings\jason mehring\peek.bat

2010-06-28 20:04:51 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9

2010-06-28 03:03:15 0 d-----w- c:\docume~1\alluse~1\applic~1\Comodo Downloader

2010-06-24 15:27:29 423656 ----a-w- c:\windows\system32\deployJava1.dll

==================== Find3M ====================

2010-06-28 19:52:03 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat

2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll

2008-09-04 06:05:41 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090420080905\index.dat

============= FINISH: 16:05:51.10 ===============

Link to post
Share on other sites

Please collect everything in one post and then post them.

1. Download Bootkit Remover (note: it's a RAR archived file so you have to install compatible program, like 7-Zip if there's not one installed).

2. Extract the contents to own folder (BRemover folder) on your desktop.

3. Click start->run->type cmd.exe and press enter.

4. In command prompt type this (I assume you extracted folder contents to BRemover folder on your desktop):

"%userprofile%\desktop\Bremover\remover.exe" >"%userprofile%\desktop\logit.txt"

5. Press enter once more to bring cursor back visible after entering the command above. After that operation there should be logit.txt file on your desktop. Attach it to your post, please.

Link to post
Share on other sites

i typed it in exactly how it shows

"%userprofile%\desktop\bootkit_remover\remover.exe" >"%userprofile%\desktop\logit.txt"

then i hit enter

i get this

the system cannot find the path specified.

C:\Documents and Settings\Jason Mehring>

am i typing it wrong or not putting a space maybe where a space should be?

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.