• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs

Not what you are looking for? Ask the experts!

This forum thread needs a solution.
Kudos0

b.exe and trojandownloader remaining on computer

I think i just got hit with this same problem. last night i was checking my email and this pdf file tries to open and then a song track starts to play out of my speakers. i closed the pop up windows that resulted and ran my norton and spybot programs but nothing came back so i just closed my computer and went to bed. today my computer is acting really slow and firefox is haviing issues trying to start up.

I should say that spybot keeps blocking b.exe from running because i wont allow the "value change ". i read some other posts on this issue and found the a.exe b.exe and c.exe files in my temp folder. i deleted them and emptyed the trash but b.exe  and 2 other files remained. i have downloaded HJT and posted the log result blow. also i ahve downloaded and installed Malware bytes and it isscanning my C (local dick) D (partiation) and E (stroage drive) drive currently.  

im not sure what else to do... can you please give me some advice?

-Joker

[edit: Changed subject for clarity.]

Message Edited by shannons on 08-09-2009 03:05 PM
File Attachment: 

Replies

Kudos0

Re: b.exe and trojandownloader remaining on computer

Joker

You can try scanning with:

malwrebytes - www.malwarebytes.org

and

Superantispyware - www.superantispyware.com

Should help... :-)

Matt

"The fact that man knows right from wrong proves his intellectual superiority to other creatures; but the fact that he can do wrong proves his moral inferiority to any creature that cannot."- Mark Twain
Kudos0

Re: b.exe and trojandownloader remaining on computer

thanx for the info... im running malware bytes right now... its found 7 infected files and has been running for about 35 min... once its done i plan to install and run SUPERAntiSpyware and see if that cleans this stuff off my computer.

-Joker

Kudos0

Re: b.exe and trojandownloader remaining on computer

CRAP!  now i got something else running on my computer called msa.exe... its taking up more memory than fire fox.... What is msa and how do i get rid of it????

-Joker

[edit: Please keep post content clean per the Participation Guidelines and Terms of Service.]

Message Edited by shannons on 08-09-2009 11:28 AM
Kudos1

Re: b.exe and trojandownloader remaining on computer

Joker,

that msa.exe is related to the b.exe.

try installing and updating SAS (and make sure MBAM is also updated) then restart ur pc in safe mode and do a full scan with both.

Matt

"The fact that man knows right from wrong proves his intellectual superiority to other creatures; but the fact that he can do wrong proves his moral inferiority to any creature that cannot."- Mark Twain
Kudos1

Re: b.exe and trojandownloader remaining on computer

drkjoker2501:

Mattsegers has given you some very good advice.  I would also like to see you disconnect from the internet while running the scans, disable your system restore, clear your browser caches, and dump all recent temp files.  When you get to your temp folder, you will be able to click on view in the menu bar, by modification date.  Choose a time well before the date of infection and dump everything after that point.

MBAM and SAS should clear whatever has been causing the problem.  We do not have a HJT analyst available online at the moment, but we will ask you to produce another log once all the scans have been completed.  If anything is left that cannot be deleted by either of those programs and Norton, then we have a problem.

In the meantime, remain calm, you have at least six hours of scanning time ahead of you.  Been there, done that.

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: b.exe and trojandownloader remaining on computer

thank you for the info again... i run a custom buid PC with XP and i am having trouble getting it to boot into safe mode. after pressing f8 it asks for a first boot device and lists both of the HD and my dvd drive.... but nothing about safe mode. i am not sure if i should just discoonect from the internet (my computer is disconnected and i only reconnect it to reply to these messages... thank god for ipod touch) and run the scans normally because i am unsure how to load safe mode. i contacted my friend who helped biuld this computer and he tells me i should just back up my files (did that as soon as i noticed something was wrong yesterday) and reformat my computer.... but i would like to avoid that as much as possable. 

any ideas on how to load safe mode?

Kudos0

Re: b.exe and trojandownloader remaining on computer

drkjoker2501:

No kidding.  I would not choose to reformat for anything less than a major disaster, which this probably isn't.  You might be tapping F8 late.  Try again as soon as you reboot, and tap repeatedly until the safe mode menu comes up.  You should have a choice of start normally, safe mode, safe mode with networking, and last good configuration.  It's been a long time since I was there and the memory isn't what it used to be.

This link also provides information

http://support.microsoft.com/kb/315222

If you are still unable to get into safe mode look at this info

http://www.computerhope.com/issues/ch000750.htm

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: b.exe and trojandownloader remaining on computer

ok i got the boot safe mode thing worked out... pressing f8 to early i guess. i ran MBA and SAS in safe mode and claned some tracking cookies and 2 trojan viruses off the computer, and just finised running MBA and SAS in normal mode. SAS found only 63 tracking cookies which i was able to delete, however i was unabe to see the cookie folder when i went to the dir abvoe it. i attached the log files for HJT and MBA below. MBA returned 9 times infected and i beleve it only removed 4 of them. im not sure what else to do but i am happy to report that a.exe b.exe and c.exe files are gone from my temp folder (deleted them from the folder afer the safe mode vuris scans) and i can no longer find them when running search. can you please check my HJT results and let me know if there is anything elsae i nned to do? 

thank you again for every ones help. 

-Joker

Kudos1

Re: b.exe and trojandownloader remaining on computer

Hi

MBAM will delete the others when it reboots the PC  in the log it states that by saying  "Delete on Reboot"

You also have Spybot S&D in realtime (TeaTimer etc).

Quads 

Kudos0

Re: b.exe and trojandownloader remaining on computer

dkrjoker:

When you have more than one real-time antivirus scanner running at the same time, you get program conflicts.  A lot of the users who come here with infections are running two scanners.  In your case Teatimer should be disabled.  Spybot S & D will actually prevent the removal of the more serious infections.

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: b.exe and trojandownloader remaining on computer

thatks to quads and delphinium for that bit of information. i have run indivigual scan without spybot and am happy to report the SAS was clean. norton found only 1 tracking cookies (removed). i am scared to say that this might be over with because i dont have the best luck with these things so i am posting my latest HJT and MBA logs for your review. i hope they prove that this thing has been removed from my system... againthanks to delphinium, quads and mattsegers for your help.

please let me know if the logs show anything at all.

-Joker

Kudos0

Re: b.exe and trojandownloader remaining on computer

Hi,

I would suggest removing Spybot from your computer as having Norton Auto-Protect is enough, along with Malwarebytes' Anti-Malware and SUPERAntiSpyware Free Edition.  Please do not pay for Malwarebytes' as this will add Real-Time Protection.

Could you Re-Start in to Safe Mode again, making sure you Update all three Products, and do three Full System Scans with Norton, Malwarebytes' and SUPERAntiSpyware in the Administrator Account.

And you should do all Anti-Virus Scans dis-connected from the Internet.

Can't remembered if you mentioned what Norton Product and Version you are using; could you tell us. 

Thanks!

________________________________________________________-

What was the Name of the Trojan that Norton (?) Removed?

Message Edited by Floating_Red on 08-10-2009 06:10 PM
Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos0

Re: b.exe and trojandownloader remaining on computer

Please run HiJackThis and check the following:

R3 - URLSearchHook: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O3 - Toolbar: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

Then click on "Fix checked" in HiJackThis.


Please download GMER from http://www.gmer.net and run the program. Select "Scan" and then "Save" the log. Do nothing else with the GMER program as it can harm your system if used incorrectly. Then attach the log file as a text file to a post here. The Add Attachments link is below the orange Post button. It will be reviewed for possible malware and we will get back to you. Again, thanks for your help in this.

Win7 x32 SP1
Kudos0

Re: b.exe and trojandownloader remaining on computer




Please download GMER from http://www.gmer.net and run the program. Select "Scan" and then "Save" the log. Do nothing else with the GMER program as it can harm your system if used incorrectly. Then attach the log file as a text file to a post here. The Add Attachments link is below the orange Post button. It will be reviewed for possible malware and we will get back to you. Again, thanks for your help in this.


Why GMER when there is no mention or symptom of a Rootkit, their Norton works etc??
 
Quads 
Kudos0

Re: b.exe and trojandownloader remaining on computer

ok i have run MBA and SAS in safe mode disconnected from the internet (the version of norton 360 i have does not run in safe mode) but SAS came up clean in safe mode and so did norton in normal mode. MBA found 4 "trojan fake alerts" named  Hkey_Classes_Root\CLSID and 3 others of Hkey_Classes_Root. they keep reapearing each time i roboot my system. i am about to run HJT and fix the issues dbrisendine pointed out... after that i will download and run GMER because this all started with the rootkit virus and dont want it to come back.

ill post the results as soon as they are done.

-Joker

Kudos0

Re: b.exe and trojandownloader remaining on computer

ok i have made the "fixes" that dbrisendine noted from my HJT log and i have finished running the GMER program. *** A not to aanyone planning to run this program it takes a LONG time. i stoped cloking it at 3 hours and just let it run over night but it had stopped at 5am so it could could only have run for a max of 5 hours.*** 

please let me know if this GMER log shows anything of interest. 

-Joker

File Attachment: 
Kudos0

Re: b.exe and trojandownloader remaining on computer

Hi

It's not a Rootkit, but those bad registry entries shown in the GMER log should have been detected by Malwarebytes.

Dis you use Malwarebytes all the way through to remove what it found??

Quads 

Kudos0

Re: b.exe and trojandownloader remaining on computer

yes... i have run malware bytes seveal times and,except for the first time i ran it, the only things it finds are 4 tojan.fake alerts called

Hkey_classes_Root\CLSID\{500bca15-57a7-4eaf-8143-8c619470b13d}

Hkey_classes_Root\Typelib\{e24211b3-a78a-c6a9-d317-70979ace5058}

Hkey_classes_Root\xml.xml

Hkey_classes_Root\xml.xml.1

that  is all that malwarebytes finds. ill post the most recient malware bytes log to show you.

-Joker

Kudos0

Re: b.exe and trojandownloader remaining on computer

Hi

That's interesting MBAM has detected the  HKCR registry part of the Malware but not the HKLM section.

Which hs various names like "Explorer32.Hijacker"

I will build a script for the removal.

Quads 

Kudos0

Re: b.exe and trojandownloader remaining on computer

thank you very much! 

-Joker

Kudos0

Re: b.exe and trojandownloader remaining on computer

Hi

If you have Spybot S&D installed remove it 

Also during the restarts with Avenger if Your PC has a Startup repair center like with HP and Toshiba tell it to start Normally if it kicks in.

1. Download Avenger to your desktop,

Unzipped version http://homepages.slingshot.co.nz/~crutches/Avenger/

OR Creators website http://swandog46.geekstogo.com/avenger2/avenger2.html with zipped version to the unzip to desktop 

2. Click to run "Avenger.exe"  (right click "Run as Administrator" if using Vista)

3. In the "Input script here:" copy and paste the script between the lines


Files to delete:

C:\WINDOWS\system32\msxml71.dll

Registry keys to delete:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{E24211B3-A78A-C6A9-D317-70979ACE5058}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\XML.XML

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\XML.XML.1


Here is a screenshot (script updated since shot)

Make sure the "Automatically disable any rootkits found" is NOT selected

4. Click "Execute"

You will be asked to restart the PC click "Yes", when the PC restarts the load screen will takes slightly longer, then when it looks as though windows is loading the PC will restart again.

Then when Windows fully loads the Avenger log will be loaded, showing files it could or could not find.

Quads 

Kudos0

Re: b.exe and trojandownloader remaining on computer

Here is what Symantec / Norton calls it

http://www.symantec.com/en/uk/security_response/writeup.jsp?docid=2008-102416-5319-99&tabid=2

Notice the a.exe, b.exe, c.exe

Quads 

Kudos0

Re: b.exe and trojandownloader remaining on computer

Quads you are a beautiful person. i ran MBA and it was clean... avenger did its job. norton came back clean as well. i think my computer it fully clean dont you? 

thanks to everyone who helped me with this **bleep** virus stuff, i owe you all. 

-Joker

Replies are locked for this thread.