TechSpot

b.exe

By Emmalinauk
Aug 17, 2006
  1. I seem to have downloaded some kind of trojan / spyware / virus thing (I don't know what it is) . It's called b.exe and there is a post somewhere on how to delete it, which I will do.

    My question is, do I have to back up everything before going into "safe mode" or will amy files be ok?

    Thanks for your help!

    Emma
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    No you don`t need to back everything up before going into safe mode.

    Go HERE and follow the instructions exactly.

    Post a fresh HJT log as an attachment into this thread, only after doing the above.

    Regards Howard :wave: :wave:

    This thread is for the use of Emmalinauk only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. joked u 2

    joked u 2 TS Rookie Posts: 128

    do you know how to get 2 safe mode?? and if you don't mind me asking... where do you live??[ just a state is fine]
     
  4. Emmalinauk

    Emmalinauk TS Rookie Topic Starter

    I do know because I saw it on a previous post.

    Were you asking me what state I'm from btw? I'm from London, England

    :)
     
  5. joked u 2

    joked u 2 TS Rookie Posts: 128

    sorry i know someone form the US named emma i guessed my chances are slim. sorry thought you were someone else
     
  6. Emmalinauk

    Emmalinauk TS Rookie Topic Starter

    Hello again...

    I tried to do what you said in a previuos post (about deleting netmon.exe & stub_113_4_0_4_0.exe) but I can't find them anywhere. Is it possible I have something else wrong?

    Do you have any other ideas?

    Thanks for your help
    Emma
     
  7. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    PartyGaming\PartyPoker
    Dealio
    BroadJump\Client Foundation
    broadband medic

    Close control panel.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    CFD.exe
    DealioAu.exe
    wmplayer.exe
    matcli.exe
    RunApp.exe
    MotiveSB.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O1 - Hosts: 205.238.40.2 www.winmx.com

    O1 - Hosts: 205.238.40.2 err.winmx.com

    O1 - Hosts: 209.67.209.50 test3201.winmx.com test3203.winmx.com test3205.winmx.com test3207.winmx.com

    O1 - Hosts: 82.43.224.20 test3202.winmx.com test3204.winmx.com test3206.winmx.com test3208.winmx.com

    O1 - Hosts: 209.67.209.50 c3310.z1301.winmx.com c3310.z1302.winmx.com c3310.z1303.winmx.com c3310.z1304.winmx.com c3310.z1305.winmx.com c3310.z1306.winmx.com c3312.z1301.winmx.com c3312.z1302.winmx.com c3312.z1303.winmx.com c3312.z1304.winmx.com c3312.z1305.winmx.com c3312.z1306.winmx.com c3314.z1301.winmx.com c3314.z1302.winmx.com c3314.z1303.winmx.com c3314.z1304.winmx.com c3314.z1305.winmx.com c3314.z1306.winmx.com c3316.z1301.winmx.com c3316.z1302.winmx.com c3316.z1303.winmx.com c3316.z1304.winmx.com c3316.z1305.winmx.com c3316.z1306.winmx.com c3318.z1301.winmx.com c3318.z1302.winmx.com c3318.z1303.winmx.com c3318.z1304.winmx.com c3318.z1305.winmx.com c3318.z1306.winmx.com

    O1 - Hosts: 212.227.64.159 c3313.z1301.winmx.com c3313.z1302.winmx.com c3313.z1303.winmx.com c3313.z1304.winmx.com c3313.z1305.winmx.com c3313.z1306.winmx.com c3317.z1301.winmx.com c3317.z1302.winmx.com c3317.z1303.winmx.com c3317.z1304.winmx.com c3317.z1305.winmx.com c3317.z1306.winmx.com

    O1 - Hosts: 82.195.155.5 c3311.z1301.winmx.com c3311.z1302.winmx.com c3311.z1303.winmx.com c3311.z1304.winmx.com c3311.z1305.winmx.com c3311.z1306.winmx.com c3315.z1301.winmx.com c3315.z1302.winmx.com c3315.z1303.winmx.com c3315.z1304.winmx.com c3315.z1305.winmx.com c3315.z1306.winmx.com

    O1 - Hosts: 82.43.224.20 c3319.z1301.winmx.com c3319.z1302.winmx.com c3319.z1303.winmx.com c3319.z1304.winmx.com c3319.z1305.winmx.com c3319.z1306.winmx.com

    O1 - Hosts: 209.67.209.50 c3520.z1301.winmx.com c3520.z1302.winmx.com c3520.z1303.winmx.com c3520.z1304.winmx.com c3520.z1305.winmx.com c3520.z1306.winmx.com c3522.z1301.winmx.com c3522.z1302.winmx.com c3522.z1303.winmx.com c3522.z1304.winmx.com c3522.z1305.winmx.com c3522.z1306.winmx.com c3524.z1301.winmx.com c3524.z1302.winmx.com c3524.z1303.winmx.com c3524.z1304.winmx.com c3524.z1305.winmx.com c3524.z1306.winmx.com c3526.z1301.winmx.com c3526.z1302.winmx.com c3526.z1303.winmx.com c3526.z1304.winmx.com c3526.z1305.winmx.com c3526.z1306.winmx.com c3528.z1301.winmx.com c3528.z1302.winmx.com c3528.z1303.winmx.com c3528.z1304.winmx.com c3528.z1305.winmx.com c3528.z1306.winmx.com

    O1 - Hosts: 212.227.64.159 c3523.z1301.winmx.com c3523.z1302.winmx.com c3523.z1303.winmx.com c3523.z1304.winmx.com c3523.z1305.winmx.com c3523.z1306.winmx.com c3527.z1301.winmx.com c3527.z1302.winmx.com c3527.z1303.winmx.com c3527.z1304.winmx.com c3527.z1305.winmx.com c3527.z1306.winmx.com

    O1 - Hosts: 82.195.155.5 c3521.z1301.winmx.com c3521.z1302.winmx.com c3521.z1303.winmx.com c3521.z1304.winmx.com c3521.z1305.winmx.com c3521.z1306.winmx.com c3525.z1301.winmx.com c3525.z1302.winmx.com c3525.z1303.winmx.com c3525.z1304.winmx.com c3525.z1305.winmx.com c3525.z1306.winmx.com

    O1 - Hosts: 82.43.224.20 c3529.z1301.winmx.com c3529.z1302.winmx.com c3529.z1303.winmx.com c3529.z1304.winmx.com c3529.z1305.winmx.com c3529.z1306.winmx.com

    O2 - BHO: DealioBHO Class - {6A87B991-A31F-4130-AE72-6D0C294BF082} - C:\Program Files\Dealio\Dealio.dll

    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll

    O3 - Toolbar: Dealio - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - C:\Program Files\Dealio\Dealio.dll

    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe

    O4 - HKLM\..\Run: [au] "C:\Program Files\Dealio\DealioAu.exe"

    O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe

    O4 - Global Startup: wmplayer.exe

    O8 - Extra context menu item: Compare Prices with &Dealio - C:\Program Files\Dealio\res\DealioSearch.html

    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe

    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe

    O9 - Extra button: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\Dealio.dll

    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\Program Files\Dealio
    C:\Program Files\PartyGaming
    C:\Program Files\ntl\broadband medic
    C:\Program Files\BroadJump
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\wmplayer.exe


    Reboot into normal mode and turn system restore back on.

    Post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of Emmalinauk only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  8. Emmalinauk

    Emmalinauk TS Rookie Topic Starter

    Hi Howard

    I have done what you suggested and it seems to have worked as I am no longer getting the b.exe error message. I am however, still getting pop ups from NTL Netguard saying that it has detected a virus.

    I assumed that the b.exe was causing the problems but I think that probably not the case now.. I have attatched the error message that continuously pops up whilst my PC is on. It basically says that I have a virus and lists names of songs - non of which I have downloaded and they are not on my PC?!. (I have also attached an updated HJT log)

    Any help would be much appreciated.

    Thanks for your help!

    Emma
     
  9. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O8 - Extra context menu item: Compare Prices with &Dealio - C:\Program Files\Dealio\res\DealioSearch.html

    Click on the fix checked button.

    Close HJT.

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

    This is the filepath you need to enter into killbox.

    C:\Program Files\Dealio\res\DealioSearch.html

    Once your system has rebooted, turn system restore back on and post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of Emmalinauk only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  10. Emmalinauk

    Emmalinauk TS Rookie Topic Starter

    You were quick - I just amended my reply as it didn't work after all

    Will what you said fix my other problem too?

    Thanks
    Emma
     
  11. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Follow the above instructions, then post a fresh HJT log.

    Regards Howard :)
     
  12. Emmalinauk

    Emmalinauk TS Rookie Topic Starter

    Here is my HJT log.

    I'm still getting the Netguard pop ups :( They only seem to appear when I open a P2P site though I've realised...

    Thanks again
    Emma
     
  13. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is clean.

    The NTL Netguard programme is utter crap. It`s known to give false positives.

    The best advice I can give you is to download the free AVG antivirus programme and either the free Zonealarm or the free Kerio firewall programmes. You can get them HERE, HERE and HERE.

    Then disconnect from the net and uninstall Netguard from add remove programmes in your control panel. Once it`s fully uninstalled, reboot your system.

    Install whichever firewall you chose, followed by AVG. reboot your system the required number of times and reconnect to the net. Run the AVG updates.

    Boot into safe mode and turn off system restore. Run a full system scan with AVG and delete whatever it finds.

    Reboot into normal mode and turn system restore back on.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of Emmalinauk only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  14. Emmalinauk

    Emmalinauk TS Rookie Topic Starter

    Hi Howard

    I have followed your instructions and it appears to have worked (thank goodness I hear you cry!)

    Thanks for all your help - I really appreciate it!

    Take care
    Emma x

    :D
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...