b.exe
- Thread starter Chinster7
- Start date
- Status
halo71
Posts: 1,006 +1
I assume you didn't google this, below is what I found about your problem. Follow the link below for more info on this. BTW.....Welcome to Techspot! 
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FSDBOT%2EBND&VSect=P
--------------------------------------------------------------------------------
Malware type: Worm
Aliases: W32/Sdbot.worm, Win32.Seenbot.BM
In the wild: Yes
Destructive: No
Language: English
Platform: Windows 95, 98, ME, NT, 2000, XP
Encrypted: No
Overall risk rating: Low
--------------------------------------------------------------------------------
Reported infections: Low
Damage potential: High
Distribution potential: High
--------------------------------------------------------------------------------
Description:
This worm arrives as B.EXE in the Windows system folder. It also drops MSDIRECTX.SYS, which is detected by Trend Micro as TROJ_ROOTKIT.H, in the same folder. It uses this Trojan to hide its process in the Windows Task Manager.
It generates IP addresses and spreads by attempting to drop a copy of itself in target addresses' IPC$ share. If the said share is inaccessible, it uses a list of user names and passwords hardcoded in its body.
It may also propagate by taking advantage of the following Windows vulnerabilities:
The RPC/DCOM vulnerability, which allows an attacker to gain full access and execute any code on a target machine by sending a malformed packet to the DCOM service. It uses the RPC TCP port 135. More information on this vulnerability is found in Microsoft Security Bulletin MS03-026.
The Windows LSASS vulnerability, which is a buffer overrun that allows remote code execution and enables a malicious user to gain full control of the affected system. This vulnerability is discussed in detail in Microsoft Bulletin MS04-011.
This worm connects to an IRC server and joins a specific channel, where it listens for commands from a remote malicious user. The said commands are executed locally on affected machines. It also performs a distributed denial of service (DDoS) attack against target sites using different flood methods.
For additional information about this threat, see:
Solution
Technical Details
Statistics
Description created: Apr. 20, 2005 7:42:54 AM GMT -0800
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FSDBOT%2EBND&VSect=P
--------------------------------------------------------------------------------
Malware type: Worm
Aliases: W32/Sdbot.worm, Win32.Seenbot.BM
In the wild: Yes
Destructive: No
Language: English
Platform: Windows 95, 98, ME, NT, 2000, XP
Encrypted: No
Overall risk rating: Low
--------------------------------------------------------------------------------
Reported infections: Low
Damage potential: High
Distribution potential: High
--------------------------------------------------------------------------------
Description:
This worm arrives as B.EXE in the Windows system folder. It also drops MSDIRECTX.SYS, which is detected by Trend Micro as TROJ_ROOTKIT.H, in the same folder. It uses this Trojan to hide its process in the Windows Task Manager.
It generates IP addresses and spreads by attempting to drop a copy of itself in target addresses' IPC$ share. If the said share is inaccessible, it uses a list of user names and passwords hardcoded in its body.
It may also propagate by taking advantage of the following Windows vulnerabilities:
The RPC/DCOM vulnerability, which allows an attacker to gain full access and execute any code on a target machine by sending a malformed packet to the DCOM service. It uses the RPC TCP port 135. More information on this vulnerability is found in Microsoft Security Bulletin MS03-026.
The Windows LSASS vulnerability, which is a buffer overrun that allows remote code execution and enables a malicious user to gain full control of the affected system. This vulnerability is discussed in detail in Microsoft Bulletin MS04-011.
This worm connects to an IRC server and joins a specific channel, where it listens for commands from a remote malicious user. The said commands are executed locally on affected machines. It also performs a distributed denial of service (DDoS) attack against target sites using different flood methods.
For additional information about this threat, see:
Solution
Technical Details
Statistics
Description created: Apr. 20, 2005 7:42:54 AM GMT -0800
howard_hopkinso
Posts: 21,238 +17
Hello and welcome to Techspot.
Your system is infected with several nasties.
Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.
If after reading the above, you wish to clean your system, do the following.
Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.
Post fresh HJT, AVG Antispyware and the Combofix logs as attachments into this thread, only after doing the above.
Also, let me know the results of the AVG Antirootkit scan.
Regards Howard :wave: :wave:
This thread is for the use of Chinster7 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Your system is infected with several nasties.
Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.
If after reading the above, you wish to clean your system, do the following.
Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.
Post fresh HJT, AVG Antispyware and the Combofix logs as attachments into this thread, only after doing the above.
Also, let me know the results of the AVG Antirootkit scan.
Regards Howard :wave: :wave:
This thread is for the use of Chinster7 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
T
tifc8lraz
Your master preferably, but I'm not sure it would really make a difference.
howard_hopkinso
Posts: 21,238 +17
Good question.
Post a fresh HJT log as per these instructions from each account.
Regards Howard
This thread is for the use of Chinster7 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Post a fresh HJT log as per these instructions from each account.
Regards Howard
This thread is for the use of Chinster7 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
howard_hopkinso
Posts: 21,238 +17
We`ll clean HJT log `B` as this is the worst affected. The other two logs contain exactly the same entries except for one.
You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.
Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.
In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.
Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.
Click on the processes tab and end process for(if there).
REMIND32.EXE
msconfig.exe
Close task manager.
Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - Startup: reminder-ScanSoft Product Registration.lnk = C:\Program Files\ScanSoft\PaperPort\Config\Ereg\REMIND32.EXE
O4 - Global Startup: msconfig.exe
Click on the fix checked button.
Close HJT.
Reboot into normal mode and rehide your protected OS files.
Now run a HJT scan on all accounts and see if the above entries are still there.
Let me know if you`re still having problems.
Regards Howard
This thread is for the use of Chinster7 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.
Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.
In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.
Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.
Click on the processes tab and end process for(if there).
REMIND32.EXE
msconfig.exe
Close task manager.
Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - Startup: reminder-ScanSoft Product Registration.lnk = C:\Program Files\ScanSoft\PaperPort\Config\Ereg\REMIND32.EXE
O4 - Global Startup: msconfig.exe
Click on the fix checked button.
Close HJT.
Reboot into normal mode and rehide your protected OS files.
Now run a HJT scan on all accounts and see if the above entries are still there.
Let me know if you`re still having problems.
Regards Howard
This thread is for the use of Chinster7 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Beautiful! Everything is working fine now. Taskmanager works and the error message for b.exe is gone. The HJT logs no longer show the things that were checked. Thank you so much.
I just have a few more questions:
I deleted b.exe from my c:\ will it come back again once I reboot? And what was that msconfig.exe process? What exactly happened to my taskmanager?
I just have a few more questions:
I deleted b.exe from my c:\ will it come back again once I reboot? And what was that msconfig.exe process? What exactly happened to my taskmanager?
howard_hopkinso
Posts: 21,238 +17
The msconfig.exe that was running was what disabled your task manager.
Reboot your system and see if your b.exe problems return.
If you have any further virus/spyware problems, please post in this thread.
Regards Howard
This thread is for the use of Chinster7 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Reboot your system and see if your b.exe problems return.
If you have any further virus/spyware problems, please post in this thread.
Regards Howard
This thread is for the use of Chinster7 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
- Status
Latest posts
-
Tesla is laying off 10% of global workforce amid declining sales and production cuts- captaincranky replied
-
Logitech thinks the computer mouse needs an AI upgrade- FaTaL replied
-
New Affordable AMD B650 Motherboard Roundup- Starfals replied
-
PlayStation 5 Pro will be bigger, faster, and better using the same CPU
- anastrophe replied
-
How to play PS1 Doom on PC (and why you might want to)- amghwk replied
