Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Infected with b.exe

  • This topic is locked This topic is locked
2 replies to this topic

#1 Blarm1959


  • Members
  • 1 posts
  • Local time:05:14 PM

Posted 24 July 2009 - 06:28 PM

Internet explorer pops up randomly and when selecting an item from a google search.

Have tried to clean as much as possible, but cannot get rid of b.exe.

DDS (Ver_09-06-26.01) - NTFSx86
Run by Ruth at 0:19:39.62 on 25/07/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.1045 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Internet Explorer\Iexplore.exe

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hewlett-packard\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hewlett-packard\digital imaging\smart web printing\hpswp_BHO.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {46AE04C0-BCFA-4728-90E7-00EB4A8B3863} - No File
TB: {4E7BD74F-2B8D-469E-89B3-BE29F5D3E32D} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [Tesco Insert Detect] c:\program files\tesco\picture suite\InsDetect.exe
uRun: [Monopod] c:\docume~1\ruth\locals~1\temp\b.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [HPHUPD05] c:\program files\hewlett-packard\{45b6180b-dcab-4093-8ee8-6164457517f0}\hphupd05.exe
mRun: [HPHmon05] c:\windows\system32\hphmon05.exe
mRun: [DLCDCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCDtime.dll,_RunDLLEntry@16
mRun: [dlcdmon.exe] "c:\program files\dell photo aio printer 944\dlcdmon.exe"
mRun: [MemoryCardManager] "c:\program files\dell photo aio printer 944\memcard.exe"
mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe
mRun: [Sony Ericsson PC Suite] "c:\program files\sony ericsson\mobile2\application launcher\Application Launcher.exe" /startoptions
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [hpqSRMon] c:\program files\hewlett-packard\digital imaging\bin\hpqSRMon.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\aol80t~1.lnk - c:\program files\aol 8.0\aoltray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodaks~1.lnk - c:\program files\kodak\kodak software updater\7288971\program\Kodak Software Updater.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: Search with Freeserve - c:\progra~1\freese~1\fsbar\FSBar.dll/VSearch.htm
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hewlett-packard\digital imaging\smart web printing\hpswp_BHO.dll
DPF: RaptisoftGameLoader - hxxp://www.miniclip.com/hamsterball/raptisoftgameloader.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {15AC034D-14DF-4AF8-9D02-29E1F56A8235} - hxxp://www.virgindigital.co.uk/activeX/VirginWMA.cab
DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - hxxp://static.windupdates.com/cab/WebsiteAccess/ie/Bridge-c136.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} - hxxp://www.miniclip.com/platypus/miniclipGameLoader.dll
DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} - hxxp://www.miniclip.com/supergerball/miniclipGameLoader.dll
DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} - hxxp://www.miniclip.com/ricochet/ReflexiveWebGameLoader.cab
DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - hxxp://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://download.shockwave.com/pub/otoy/OTOYAX.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38107.9838657407
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} - hxxp://www.shockwave.com/content/feedingfrenzy/SproutLauncher.cab
DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} - hxxp://www.instantaction.com/download/iaplayer.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.shockwave.com/content/insaniquarium/popcaploader_v6.cab
DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} - hxxp://www.shockwave.com/content/thinktanks/BTDownloadCtrl.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-20 335752]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-5-20 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-20 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-4 907032]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-4 298776]
S3 k310bus;Sony Ericsson K310 Driver driver (WDM);c:\windows\system32\drivers\k310bus.sys [2007-9-14 60800]
S3 k310mdfl;Sony Ericsson K310 USB WMC Modem Filter;c:\windows\system32\drivers\k310mdfl.sys [2005-12-28 9264]
S3 k310mdm;Sony Ericsson K310 USB WMC Modem Driver;c:\windows\system32\drivers\k310mdm.sys [2005-12-28 96352]
S3 k310mgmt;Sony Ericsson K310 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\k310mgmt.sys [2005-12-28 87824]
S3 k310obex;Sony Ericsson K310 USB WMC OBEX Interface;c:\windows\system32\drivers\k310obex.sys [2005-12-28 85696]
S3 s125bus;Sony Ericsson Device 125 driver (WDM);c:\windows\system32\drivers\s125bus.sys [2008-4-6 83336]
S3 s125mdfl;Sony Ericsson Device 125 USB WMC Modem Filter;c:\windows\system32\drivers\s125mdfl.sys [2008-4-25 15112]
S3 s125mdm;Sony Ericsson Device 125 USB WMC Modem Driver;c:\windows\system32\drivers\s125mdm.sys [2008-4-25 108680]
S3 s125mgmt;Sony Ericsson Device 125 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s125mgmt.sys [2008-4-25 100488]
S3 s125obex;Sony Ericsson Device 125 USB WMC OBEX Interface;c:\windows\system32\drivers\s125obex.sys [2008-4-25 98696]
S4 dlcd_device;dlcd_device;c:\windows\system32\dlcdcoms.exe -service --> c:\windows\system32\dlcdcoms.exe -service [?]

=============== Created Last 30 ================

2009-07-24 20:59 <DIR> --d----- C:\bill
2009-07-23 17:18 141,312 a------- c:\windows\msa.exe
2009-07-23 17:17 140,804 a------- c:\windows\system32\msxml71.dll
2009-07-23 17:07 1,176,880 a------- c:\windows\system32\xa.tmp
2009-07-17 13:20 244 a---h--- C:\sqmnoopt06.sqm
2009-07-17 13:20 232 a---h--- C:\sqmdata06.sqm
2009-07-17 13:13 244 a---h--- C:\sqmnoopt05.sqm
2009-07-17 13:13 232 a---h--- C:\sqmdata05.sqm
2009-07-17 13:12 244 a---h--- C:\sqmnoopt04.sqm
2009-07-17 13:12 232 a---h--- C:\sqmdata04.sqm
2009-07-13 14:17 244 a---h--- C:\sqmnoopt03.sqm
2009-07-13 14:17 232 a---h--- C:\sqmdata03.sqm
2009-07-13 14:06 244 a---h--- C:\sqmnoopt02.sqm
2009-07-13 14:06 232 a---h--- C:\sqmdata02.sqm

==================== Find3M ====================

2009-07-06 10:11 335,752 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-25 11:00 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-16 15:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 15:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 15:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 15:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-03 20:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-03 20:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll
2009-05-07 16:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 16:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-29 05:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 05:56 827,392 a------- c:\windows\system32\dllcache\wininet.dll
2009-04-29 05:56 233,472 -------- c:\windows\system32\dllcache\webcheck.dll
2009-04-29 05:56 1,159,680 a------- c:\windows\system32\dllcache\urlmon.dll
2009-04-29 05:56 671,232 a------- c:\windows\system32\dllcache\mstime.dll
2009-04-29 05:56 105,984 a------- c:\windows\system32\dllcache\url.dll
2009-04-29 05:56 44,544 a------- c:\windows\system32\dllcache\pngfilt.dll
2009-04-29 05:56 102,912 -------- c:\windows\system32\dllcache\occache.dll
2009-04-29 05:56 3,596,288 a------- c:\windows\system32\dllcache\mshtml.dll
2009-04-29 05:56 477,696 a------- c:\windows\system32\dllcache\mshtmled.dll
2009-04-29 05:56 193,024 a------- c:\windows\system32\dllcache\msrating.dll
2009-04-28 10:05 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-28 10:05 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2004-08-05 08:16 72 a------- c:\docume~1\ruth\applic~1\tvmcwrd.dll
2004-08-05 08:05 210,790 a------- c:\docume~1\ruth\applic~1\tvmknwrd.dll
2009-01-20 09:58 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009012020090121\index.dat

============= FINISH: 0:21:08.31 ===============

Attached Files

BC AdBot (Login to Remove)



#2 syler


  • Malware Response Team
  • 8,150 posts
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:14 PM

Posted 03 August 2009 - 11:22 AM

Hello and welcome to Bleeping Computer.

My name is Syler, I will be helping you to solve your Malware issues. Whilst I am helping you, I would
be grateful if you would note the following:
  • Please do not run other tools or scans unless I ask you to and follow all the steps I give you, in order.
  • Copy and paste all logs requested in you reply, Do not attach them unless asked too.
  • If you don't know or understand something, please don't hesitate to say or ask before you proceed with my instructions.
  • Please continue to work with me, until I tell you your machine appears to be clean. Absence of symptoms does not mean that everything is clear.
  • If I do not hear back from you within 5 days of my last post, then this topic will be closed.

Please download Malwarebytes' Anti-Malware from Here

Note: If you already have Malwarebytes' Anti-Malware, just update then run it.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan (the scan may take some time to finish, so please be patient).
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply .
Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Then please post back here with the following:
  • MBAM log
  • log.txt
  • info.txt


#3 syler


  • Malware Response Team
  • 8,150 posts
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:14 PM

Posted 07 August 2009 - 06:18 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users