TechSpot

b.exe

By Chinster7
Mar 8, 2007
  1. I can't access taskmanager and b.exe keeps coming back after i delete it. How do i fix this?
     
  2. halo71

    halo71 TS Rookie Posts: 1,090

    I assume you didn't google this, below is what I found about your problem. Follow the link below for more info on this. BTW.....Welcome to Techspot! :D

    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FSDBOT%2EBND&VSect=P


    --------------------------------------------------------------------------------

    Malware type: Worm

    Aliases: W32/Sdbot.worm, Win32.Seenbot.BM

    In the wild: Yes

    Destructive: No

    Language: English

    Platform: Windows 95, 98, ME, NT, 2000, XP

    Encrypted: No

    Overall risk rating: Low

    --------------------------------------------------------------------------------

    Reported infections: Low

    Damage potential: High

    Distribution potential: High



    --------------------------------------------------------------------------------

    Description:



    This worm arrives as B.EXE in the Windows system folder. It also drops MSDIRECTX.SYS, which is detected by Trend Micro as TROJ_ROOTKIT.H, in the same folder. It uses this Trojan to hide its process in the Windows Task Manager.

    It generates IP addresses and spreads by attempting to drop a copy of itself in target addresses' IPC$ share. If the said share is inaccessible, it uses a list of user names and passwords hardcoded in its body.

    It may also propagate by taking advantage of the following Windows vulnerabilities:

    The RPC/DCOM vulnerability, which allows an attacker to gain full access and execute any code on a target machine by sending a malformed packet to the DCOM service. It uses the RPC TCP port 135. More information on this vulnerability is found in Microsoft Security Bulletin MS03-026.

    The Windows LSASS vulnerability, which is a buffer overrun that allows remote code execution and enables a malicious user to gain full control of the affected system. This vulnerability is discussed in detail in Microsoft Bulletin MS04-011.
    This worm connects to an IRC server and joins a specific channel, where it listens for commands from a remote malicious user. The said commands are executed locally on affected machines. It also performs a distributed denial of service (DDoS) attack against target sites using different flood methods.



    For additional information about this threat, see:
    Solution
    Technical Details
    Statistics




    Description created: Apr. 20, 2005 7:42:54 AM GMT -0800
     
  3. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Your system is infected with several nasties.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT, AVG Antispyware and the Combofix logs as attachments into this thread, only after doing the above.

    Also, let me know the results of the AVG Antirootkit scan.

    Regards Howard :wave: :wave:

    This thread is for the use of Chinster7 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  4. Chinster7

    Chinster7 TS Rookie Topic Starter

    If have I have more than one windows user account, which account should I perform the steps in? Will making changes on one account affect the other accounts as well?
     
  5. cfitzarl

    cfitzarl TechSpot Chancellor Posts: 1,975   +9

    Your master preferably, but I'm not sure it would really make a difference.
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Good question.

    Post a fresh HJT log as per these instructions from each account.

    Regards Howard :)

    This thread is for the use of Chinster7 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. Chinster7

    Chinster7 TS Rookie Topic Starter

    Here are the HJT logs for each of the user accounts. In which one should perform the steps to clean the system?
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    We`ll clean HJT log `B` as this is the worst affected. The other two logs contain exactly the same entries except for one.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    REMIND32.EXE
    msconfig.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)

    O4 - Startup: reminder-ScanSoft Product Registration.lnk = C:\Program Files\ScanSoft\PaperPort\Config\Ereg\REMIND32.EXE

    O4 - Global Startup: msconfig.exe

    Click on the fix checked button.

    Close HJT.

    Reboot into normal mode and rehide your protected OS files.

    Now run a HJT scan on all accounts and see if the above entries are still there.

    Let me know if you`re still having problems.

    Regards Howard :)

    This thread is for the use of Chinster7 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. Chinster7

    Chinster7 TS Rookie Topic Starter

    Beautiful! Everything is working fine now. Taskmanager works and the error message for b.exe is gone. The HJT logs no longer show the things that were checked. Thank you so much.

    I just have a few more questions:
    I deleted b.exe from my c:\ will it come back again once I reboot? And what was that msconfig.exe process? What exactly happened to my taskmanager?
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    The msconfig.exe that was running was what disabled your task manager.

    Reboot your system and see if your b.exe problems return.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of Chinster7 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...