Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with b.exe and other worms


  • This topic is locked This topic is locked
3 replies to this topic

#1 ottndfan

ottndfan

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 22 August 2009 - 09:48 AM

A few days ago I was infected with the TOTAL SECURITY bug and was not able to launch any programs and or open in safe mode. I was finally able to kill enough of the processes to open Malwarebytes program and get rid of it. Now i have this b.exe process that keeps coming up. It plays commercial music on my computer when nothing else is running.


DDS (Ver_09-07-30.01) - FAT32x86
Run by Don at 9:30:12.57 on Sat 08/22/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.446.112 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\Program Files\Lexmark 1300 Series\lxdcamon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe
C:\DOCUME~1\Don\LOCALS~1\Temp\b.exe
C:\Documents and Settings\Don\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uWindow Title = Windows Internet Explorer provided by Comcast
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mWindow Title = Windows Internet Explorer provided by Comcast
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://global.acer.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com
mSearchAssistant = hxxp://www.google.com
BHO: c:\\windows\\system32\\hs7f3uhduhfukde.dll - No File
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
TB: {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {61539ECD-CC67-4437-A03C-9AACCBD14326} - No File
TB: {5CBE3B7C-1E47-477E-A7DD-396DB0476E29} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Monopod] c:\docume~1\don\locals~1\temp\b.exe
mRun: [LaunchApp]
mRun: [Acer ePresentation HPD] c:\acer\empowering technology\epresentation\ePresentation.exe
mRun: [ePower_DMC] c:\acer\empowering technology\epower\ePower_DMC.exe
mRun: [Boot] c:\acer\empowering technology\epower\Boot.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [LManager] c:\progra~1\launch~1\QtZgAcer.EXE
mRun: [INPROCOMMWireless] c:\program files\atheros\wireless\utility\WlanUtil.exe
mRun: [BroadcomWireless] c:\program files\broadcom\wireless\utility\WlanUtil.exe
mRun: [lxdcmon.exe] "c:\program files\lexmark 1300 series\lxdcmon.exe"
mRun: [lxdcamon] "c:\program files\lexmark 1300 series\lxdcamon.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acerem~1.lnk - c:\acer\empowering technology\Acer.Empowering.Framework.Launcher.exe
IE: &AIM Toolbar Search - c:\documents and settings\all users\application data\aim toolbar\ietoolbar\resources\en-us\local\search.html
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {82AD44AB-A388-435E-A53B-74BF554EB6EF} - hxxp://www.mtprofessional.com/os7/downloads/MT_Pro&Buzz/setup.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\don\applic~1\mozilla\firefox\profiles\vdg5n5p1.default\
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

S2 gupdate1c9979bcb2652c2;Google Update Service (gupdate1c9979bcb2652c2);c:\program files\google\update\GoogleUpdate.exe [2009-2-25 133104]
S4 lxdc_device;lxdc_device;c:\windows\system32\lxdccoms.exe -service --> c:\windows\system32\lxdccoms.exe -service [?]
S4 lxdv_device;lxdv_device;c:\windows\system32\lxdvcoms.exe -service --> c:\windows\system32\lxdvcoms.exe -service [?]
S4 lxdvCATSCustConnectService;lxdvCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdvserv.exe [2008-4-15 98984]
S4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-9-11 1174152]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-11-2 24652]
SUnknown dgwra;dgwra; [x]

=============== Created Last 30 ================

2009-08-21 16:13 <DIR> --d----- c:\docume~1\don\applic~1\Uniblue
2009-08-21 16:13 <DIR> --d----- c:\program files\Uniblue
2009-08-21 16:13 <DIR> --d-h--- c:\docume~1\alluse~1\applic~1\{81D4BDA8-1F33-4633-B176-8A7E942ABDE1}
2009-08-19 17:11 340 a------- C:\Shortcut to Shared Documents.lnk
2009-08-19 15:34 <DIR> --d----- C:\!KillBox
2009-08-08 16:23 24,576 a------- c:\windows\system32\tapi.nfo
2009-08-08 16:23 76,288 a------- C:\criqmsck.exe
2009-08-08 16:23 27,136 a------- C:\ibts.exe
2009-08-08 16:23 44,032 a------- C:\phheq.exe
2009-08-08 16:23 53,760 a------- c:\windows\system32\drivers\WZSZXarcnompbkdvmxiilqmwmilrsyotflcco.sys
2009-08-08 16:23 46 a------- C:\p2hhr.bat
2009-08-08 16:22 19,456 a------- C:\niawndos.exe
2009-08-08 16:22 9,728 a------- C:\umoikchf.exe
2009-08-08 16:22 19,456 a------- C:\rcvbm.exe
2009-08-08 16:22 190,460 a------- c:\windows\system32\wisdstr.exe
2009-08-08 16:22 19,456 a------- C:\hcel.exe

==================== Find3M ====================

2009-08-01 14:12 94,208 a------- c:\windows\DUMP1d1d.tmp
2009-06-17 15:55 94,208 a------- c:\windows\DUMP1d4c.tmp
2009-05-31 09:58 94,208 a------- c:\windows\DUMP1caf.tmp
2009-05-25 10:24 87,608 a------- c:\docume~1\don\applic~1\inst.exe
2009-05-25 10:24 47,360 a------- c:\docume~1\don\applic~1\pcouffin.sys

============= FINISH: 9:30:42.09 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 ottndfan

ottndfan
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 27 August 2009 - 05:35 PM

I have not heard a response to this....Am i to assume noone is going to help??

#3 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:51 AM

Posted 03 September 2009 - 06:51 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#4 harrythook

harrythook


  • Security Colleague
  • 4,152 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philadelphia
  • Local time:09:51 AM

Posted 12 September 2009 - 06:24 AM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.
All others please read The Preparation Guide before starting your topic.

Veni Vidi Vici
THE FIGHT AGAINST MALWARE

Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users