Jump to content

b.exe at startup?


liv
 Share

Recommended Posts

Malwarebyte keeps picking up b.exe as a trojan.dropper every start up, but unable to quarantine or remove.

I scanned with malwarebytes and avast, yet found none. b.exe is not shown in startup option. I followed the directory(shown hidden files) to the b.exe, but I can't find it either.

I haven't notice any changes or problem with my computer yet, but it is quite annoying that malwarebytes keep pops up message prompting me to quarantine, but won't do the job.

Please help on b.exe removal

Link to post
Share on other sites

Hello and welcome to the MalwareBytes' Forums :) Let's take a look:

Download OTL to your desktop.

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Then click the Quick Scan button at the top. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

Link to post
Share on other sites

There's nothing to worry about in those logs.

Let's see what MalwareBytes' is saying:

Please re-open Malwarebytes' Anti-Malware.

  • Click the Update tab, and then click Check for Updates.
  • After updating, click the Scanner tab.
  • Select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Database version: 3930

Windows 6.0.6001 Service Pack 1

Internet Explorer 8.0.6001.18904

4/16/2010 8:07:14 AM

mbam-log-2010-04-16 (08-07-14).txt

Scan type: Quick scan

Objects scanned: 131957

Time elapsed: 5 minute(s), 27 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

======================================

and this is from the protection log

07:26:57 Vi MESSAGE Protection started successfully

07:27:00 Vi MESSAGE IP Protection started successfully

07:44:39 Vi IP-BLOCK 89.28.71.210

08:00:14 Vi DETECTION C:\Users\Vi\AppData\Local\Temp\b.exe Trojan.Dropper QUARANTINE

08:00:15 Vi ERROR Quarantine failed: UtilityReadFile failed with error code 2

08:04:08 Vi IP-BLOCK 72.233.114.171

08:04:14 Vi MESSAGE IP Protection stopped

it happens at every start up

post-17477-1271420304_thumb.jpg

Link to post
Share on other sites

@dragon8161

Please start your own topic.

@liv

Run OTL (Double click to run)

  • Click None at the top
  • Under the Custom Scans/Fixes box at the bottom, paste in the following:
    %SYSTEMROOT%\b.exe /s
    hklm\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|b.exe /RS
    hklm\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|b.exe /RS
    hkcu\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|b.exe /RS

  • Then click the Run Scan button at the top
  • Let the program scan and post the log that pops up when done (OTL.txt)

Link to post
Share on other sites

OTL logfile created on: 4/17/2010 1:18:12 PM - Run 2

OTL by OldTimer - Version 3.2.1.1 Folder = C:\Users\Vi\Desktop

Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18904)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 57.00% Memory free

6.00 Gb Paging File | 5.00 Gb Available in Paging File | 76.00% Paging File free

Paging file location(s): c:\pagefile.sys 3055 5000 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 363.75 Gb Total Space | 166.99 Gb Free Space | 45.91% Space Free | Partition Type: NTFS

Drive D: | 8.86 Gb Total Space | 1.35 Gb Free Space | 15.29% Space Free | Partition Type: NTFS

E: Drive not present or media not loaded

Drive F: | 1397.26 Gb Total Space | 1284.09 Gb Free Space | 91.90% Space Free | Partition Type: NTFS

Drive G: | 48.83 Gb Total Space | 2.38 Gb Free Space | 4.87% Space Free | Partition Type: NTFS

H: Drive not present or media not loaded

Drive I: | 48.83 Gb Total Space | 13.20 Gb Free Space | 27.03% Space Free | Partition Type: NTFS

Drive O: | 51.39 Gb Total Space | 43.14 Gb Free Space | 83.95% Space Free | Partition Type: NTFS

Drive P: | 39.06 Gb Total Space | 27.44 Gb Free Space | 70.26% Space Free | Partition Type: NTFS

Drive Q: | 35.47 Gb Total Space | 26.18 Gb Free Space | 73.80% Space Free | Partition Type: NTFS

Computer Name: VIL

Current User Name: Vi

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Custom Scans ==========

< %SYSTEMROOT%\b.exe /s >

< hklm\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|b.exe /RS >

< hklm\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|b.exe /RS >

< hkcu\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|b.exe /RS >

< End of report >

Link to post
Share on other sites

No references to b.exe anywhere. This is likely what is making MBAM through out that Quarantining error -- it can't find it. We'll make sure that there isn't anything hanging around before reporting it as an error.

Please RIGHT-CLICK HERE and Save As (in IE it's "Save Target As", in FF it's "Save Link As") to download Silent Runners.

  • Save it to the desktop.
  • Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
  • You will receive a prompt:
    • Do you want to skip supplementary searches?
      click NO

    [*]If you receive an error just click OK and double-click it to run it again - sometimes it won't run as it's supposed to the first time but will in subsequent runs.

    [*]You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)

    [*]Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

Link to post
Share on other sites

"Silent Runners.vbs", revision 61, http://www.silentrunners.org/

Operating System: Windows Vista SP1

Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:

---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"Sidebar" = "C:\Program Files\Windows Sidebar\sidebar.exe /autoRun" [MS]

"AMP WinOFF" = "c:\program files\amp winoff\winoff.exe -quiet" ["Alberto Mart

Link to post
Share on other sites

Hi,

I have just had this same error with b.exe trojan.dropper.

It is caused by a hidden scheduled task trying to execute this program.

If you open the task scheduler from Accessories/System Tools and look at the scheduled tasks that are active you will find it.

It is hidden though so you have to select show hidden tasks

Delete the task and it should fix your problem

I can't find b.exe anywhere in task scheduler =/

Link to post
Share on other sites

b.exe is part of many infections in the category of Rogue AntiSpyware. Rogue AntiSpyware are programs that produce fake warnings that try and trick you into buying their software. We're seeing them rapidly evolving on the forums.

:woot:

You're in the All Clear! Here are a few cleanup procedures that are a must after malware removal. Also, I have a few program recommendations I like to suggest.

System Restore

System Restore creates snapshots of your computer, called Restore Points, so that in the event something goes wrong, you can restore your computer to an earlier date. Viruses would have gotten got in the Restore Point snapshots also and can reinfect you if you restore to an infected date. Clearing the Restore Points and making a new one is essential after removal:

  • Open OTL.
  • Under the Custom Scans/Fixes box at the bottom, paste in the following:
    :commands
    [CLEARALLRESTOREPOINTS]


  • Then click the Run Fix button at the top.
  • You may or may not be asked to reboot. In any case, I don't need the log that follows.

Removal of Removal-Tools

This is to make sure that tools that any powerful tools we used aren't left behind and to make sure that if you ever get reinfected, you will download all the most recent tools.

  • Open OTL.
  • In the top right corner will be a button called "Clean Up!"; click it.
  • Follow any prompts, and reboot when prompted.
  • OTL will be gone on startup also. Delete any logs or leftover tools manually.

Windows Updates

You should visit Windows Update about once a month, to receive Security Fixes, Hot Fixes and Service Packs. These are all important to fix things like bugs to vulnerabilities which could lead to infection.

Go to Tools > Windows Update, within Internet Explorer

  • Click Express. It will check for updates for your computer.
  • Click Install Updates. A windows should pop up giving the status of each update.
  • Reboot when prompted.

If you're feeling lazy you can turn on Automatic Updates which will do the work for you.

  • Click Start, then Control Panel
  • Click Automatic Updates
  • Check Automatic (Recommended)
  • Ok your way out.

More information about Windows Updates and clear configuration instructions can be found here.

Prevention Programs and Practices

  • Two AntiSpyware \ AntiMalware programs that are effective, easy to use, and free. A weekly scanning with one or both of these tools can be very useful in preventing\removing a wide variety of infections. I strongly recommend these products:

    [*]The following are two alternative web-browsers. Both are great choices (And can be installed and used with Internet Explorer still present!) You may wish to experiment with the two, to decide which you prefer.

    [*]Cleans out temporary files safely and effective. It does not clean out URL history, prefetch, or cookies.

    [*]Keep your programs and applications up to date. This is important, not only for content, but for vulnerability-fixes. Here are a few you should definitely keep up-to-date if you have them:

Glad I could help, piano9playa5 :cheers:

Link to post
Share on other sites

  • 4 weeks later...
  • Staff

Glad we could help. :P

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.