Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cycbot.b & Generic Host Process Error


  • This topic is locked This topic is locked
2 replies to this topic

#1 helicon9

helicon9

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:30 AM

Posted 27 May 2011 - 04:20 PM

Hi,

Hope someone can help. I've been trying to fix my sisters pc (Windows XP SP3) which was infected with cycbot.b, with constant browser redirects and blue screens.
It looks like MS Security Essentials detected it a quite a few times but didin't remove it.
I think her pc has become infected with even more trojans as a result.
I followed the advice in another thread to try and remove it, running DrWeb CureIt then Malwarebytes Anti-Malware, this found lots of viruses/trojans but no mention of cycbot.b.

Now when starting the pc and logging in, after about a minute I get a generic host process error, at this point about 50% of the services stop running, and I can't get a network or internet connection.
I'd prefer to format the pc, but my sis has data scattered everywhere and am worried about infecting my own pc & network if I try backing her data up.
So if anyone can please help me clean it that would be great, thanks!

I've run DDS & GMER:
DDS.txt below, Attach.txt & Ark.txt attached:

.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Run by James at 18:17:57 on 2011-05-27
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.190 [GMT 1:00]
.
AV: Microsoft Security Essentials *Enabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kontiki\KHost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\James\Desktop\dds.scr
C:\WINDOWS\system32\WSCRIPT.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = hxxp://www.google.co.uk/ig/dell?hl=en&client=dell-inc&channel=uk
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.google.co.uk/ig/dell?hl=en&client=dell-inc&channel=uk
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Canon Easy-WebPrint EX BHO: {3785d0ad-bfff-47f6-bf5b-a587c162fed9} - c:\program files\canon\easy-webprint ex\ewpexbho.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Canon Easy-WebPrint EX: {759d9886-0c6f-4498-bab6-4a5f47c6c72f} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: &Search
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} - hxxp://homebase.2020.net/Core/Player/2020PlayerAX_Win32.cab
DPF: {6E2510E6-BF2D-4C78-9F28-2F5C8760F124} - hxxp://erooms.leedsmet.ac.uk/eRoomSetup/client.cab
DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} - hxxps://remote.parklanecoll.ac.uk/fred/msrdp.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://www.childcareevouchers.com/dana-cached/setup/JuniperSetupSP1.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\james\application data\mozilla\firefox\profiles\u4b7pa6c.default\
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 165264]
R1 MpKsl8ea237ec;MpKsl8ea237ec;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{babd807a-80a7-4715-8dc6-aed842627a59}\MpKsl8ea237ec.sys [2011-5-27 28752]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2011-2-7 54760]
S1 MpKsl1a2c322d;MpKsl1a2c322d;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6620f47e-15e3-4a85-99cc-f403c770104b}\mpksl1a2c322d.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6620f47e-15e3-4a85-99cc-f403c770104b}\MpKsl1a2c322d.sys [?]
S1 MpKsl454586a3;MpKsl454586a3;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e3482f36-9579-4dc8-8052-30da64be5af0}\mpksl454586a3.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e3482f36-9579-4dc8-8052-30da64be5af0}\MpKsl454586a3.sys [?]
S1 MpKsl541ea02b;MpKsl541ea02b;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6f3f3b2d-9afa-4db8-8884-8c10d3a7db46}\mpksl541ea02b.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6f3f3b2d-9afa-4db8-8884-8c10d3a7db46}\MpKsl541ea02b.sys [?]
S1 MpKslc311ed08;MpKslc311ed08;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{116f24d1-3684-40e6-956a-08c0d9f55cce}\mpkslc311ed08.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{116f24d1-3684-40e6-956a-08c0d9f55cce}\MpKslc311ed08.sys [?]
S1 MpKslc3dbeacb;MpKslc3dbeacb;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{2b55eda3-7cc6-4dc9-897d-695f1ed31b8a}\mpkslc3dbeacb.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{2b55eda3-7cc6-4dc9-897d-695f1ed31b8a}\MpKslc3dbeacb.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-1 135664]
S2 TeamViewer6;TeamViewer 6;c:\docume~1\james\locals~1\temp\teamviewer\version6\teamviewer_service.exe --> c:\docume~1\james\locals~1\temp\teamviewer\version6\TeamViewer_Service.exe [?]
S3 APL531;Hercules Blog Webcam;c:\windows\system32\drivers\BLvidv.sys [2011-2-7 285952]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-1 135664]
S3 hxctlflt;hxctlflt;c:\windows\system32\drivers\hxctlflt.sys [2011-2-7 99968]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 RapportIaso;RapportIaso;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportms\21923\RapportIaso.sys [2011-1-21 12928]
.
=============== File Associations ===============
.
.scr=cmdfile
.
=============== Created Last 30 ================
.
2011-05-27 16:59:40 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{babd807a-80a7-4715-8dc6-aed842627a59}\MpKsl8ea237ec.sys
2011-05-27 16:26:56 -------- d-----w- C:\SAS
2011-05-27 10:19:44 7071056 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{babd807a-80a7-4715-8dc6-aed842627a59}\mpengine.dll
2011-05-27 08:56:48 -------- d-----w- c:\documents and settings\james\application data\Malwarebytes
2011-05-27 08:55:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-27 08:55:48 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-27 08:55:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-27 08:55:27 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-05-27 08:54:46 -------- d-----w- C:\Mbam Rules
2011-05-26 21:24:11 7734240 ----a-w- C:\mbam-setup.exe
2011-05-26 09:20:09 -------- d-----w- c:\documents and settings\james\DoctorWeb
2011-05-10 19:44:20 -------- d-----w- c:\program files\AVAST Software
2011-05-10 19:44:20 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
2011-05-10 17:20:29 66702736 ----a-w- C:\mpam-fe.exe
2011-05-10 17:04:07 -------- d-----w- c:\documents and settings\james\local settings\application data\Mozilla
2011-05-10 08:27:39 -------- d-----w- c:\documents and settings\james\application data\TeamViewer
2011-04-30 12:34:24 -------- d-----w- c:\documents and settings\all users\application data\McAfee Security Scan
2011-04-30 12:34:17 -------- d-----w- c:\program files\McAfee Security Scan
2011-04-30 09:06:44 -------- d-----w- c:\program files\Microsoft Corporation
2011-04-30 08:49:31 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2011-04-30 08:48:45 -------- d-----w- c:\windows\SHELLNEW
.
==================== Find3M ====================
.
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ------w- c:\windows\system32\win32k.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: SAMSUNG_HD080HJ/P rev.ZH100-34 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x82B7C4F0]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x82b827d0]; MOV EAX, [0x82b8284c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x82B9CAB8]
3 CLASSPNP[0xF84F5FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x82BA2D78]
\Driver\atapi[0x82BD52A8] -> IRP_MJ_CREATE -> 0x82B7C4F0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; MOV DS, AX; CLD ; MOV CX, 0x80; MOV SI, SP; MOV DI, 0x600; MOV ES, AX; REP MOVSD ; JMP FAR 0x0:0x62d; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x82B7C33B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 18:19:35.39 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 helicon9

helicon9
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:30 AM

Posted 01 June 2011 - 01:12 AM

Nevermind, I've formatted the pc.
Please close the thread.
Thanks.

#3 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:30 PM

Posted 01 June 2011 - 04:46 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users