My recently refurbished XP machine has developed some really weird problems.
Among them:
1) Phantom mouse click sounds when noone is using the mouse
2) Numerous "process XXXXXX cannot access memory location YYYYY"; the numbers change everytime.
3) Many "b.exe cannot access system resources" error messages.
4) same as 3) but for msb.exe
5) Programs that used to work suddenly take forever to load, or never do. Particularly RealArcade games
6) Once a sound message "You have just won a Walmart gift card, click on the link" played like some ad bars do when no browser was open and there was therefore no link to click.
7) This morning the same as 6) except this time is sounded like a video clip from a talk show when no browser was open and no video was being shown.
I this case I had time to check the Task Manager>Processes viewer and "msb.exe" was using most of the CPU time. when I killed the msb.exe process, the sound clip stopped.
I have run several antivirus programs (Symantec, ClamAV, Avast! Bart CD) and AdAware and Spybot to no avail.
I already looked up b.exe and msb.exe online and found suggestions for where they should be if the are likely to be legit/malicious. Using windows search, msb.exe appears to be where it should be and the size it should be, and b.exe doesn't appear at all!
I have attached the logs from dds and gmer.
HELP!
John
DDS (Ver_09-06-26.01) - NTFSx86
Run by Carrie at 0:25:49.28 on Wed 07/01/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.241 [GMT -4:00]
AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\msb.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Carrie\LOCALS~1\Temp\b.exe
H:\Malware Removal Help\dds.scr
============== Pseudo HJT Report ===============
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\Wcescomm.exe"
uRun: [Cognac] c:\docume~1\carrie\locals~1\temp\b.exe
uRun: [ColdWare] c:\windows\msb.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [zBrowser Launcher] c:\program files\logitech\itouch\iTouch.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
StartupFolder: c:\docume~1\carrie\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\viarai~1.lnk - c:\program files\via\raid\raid_tool.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1245943860359
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Notify: igfxcui - igfxsrvc.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\carrie\applic~1\mozilla\firefox\profiles\jmrt6h5g.default\
FF - prefs.js: browser.startup.homepage - hxxp://us.mc508.mail.yahoo.com/mc/welcome?.gx=0&.tm=1246215164&.rand=ad02pfut7157q#_pg=showFolder;_ylc=X3oDMTBuZWpiMG10BF9TAzM5ODMwMTAxNARhYwNkZWxNc2dz&&filterBy=&fid=Inbox&nsc&hash=63676606ab51d928aa7608f3fe37c695&.jsrand=9909989|
https://webmail.psu.edu/webmail/main...e.php?ref=home
FF - plugin: c:\documents and settings\all users\application data\realarcade\npraclient.dll
FF - plugin: c:\documents and settings\all users\application data\zylom\zylomgamesplayer\npzylomgamesplayer.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npraclient.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npzylomgamesplayer.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
============= SERVICES / DRIVERS ===============
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-8-14 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-8-14 108392]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2008-12-8 2440120]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-6-28 101936]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090630.032\NAVENG.SYS [2009-6-30 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090630.032\NAVEX15.SYS [2009-6-30 876144]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-11-18 23888]
S3 iComp;Hauppauge WinTV PVR2 USB2 Encoder;c:\windows\system32\drivers\HCWUSB2.sys [2003-2-27 1464672]
=============== Created Last 30 ================
2009-06-30 15:50 <DIR> --d----- c:\docume~1\carrie\applic~1\Eyeblaster
2009-06-30 15:49 <DIR> --d----- c:\windows\system32\LogFiles
2009-06-29 19:16 <DIR> --d----- c:\docume~1\carrie\applic~1\gemsweeperextractedgfx
2009-06-29 19:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\My Games
2009-06-28 19:28 117,252 a------- c:\windows\msb.exe
2009-06-28 19:23 351 a------- c:\windows\system32\hjgruipywwsbbb.dat
2009-06-28 19:22 4 a------- c:\windows\system32\MSIVXcount
2009-06-28 19:22 78,336 a------- c:\windows\system32\drivers\MSIVXaxkfhmkvqvcbkcvoqtrrytrnyrdvmdrs.sys
2009-06-28 19:22 117,252 a------- c:\windows\msa.exe
2009-06-28 19:22 205,828 a------- c:\windows\system32\msxml71.dll
2009-06-27 17:47 <DIR> --d----- c:\program files\InfraRecorderPortable
2009-06-27 16:06 <DIR> --d----- c:\program files\Lame for Audacity
2009-06-27 14:47 <DIR> --d----- c:\program files\Canon
2009-06-27 14:41 <DIR> --d----- c:\docume~1\carrie\applic~1\BitTorrent
2009-06-27 11:41 <DIR> --d----- c:\documents and settings\carrie\10DaysUnderTheSea
2009-06-27 10:07 28 a------- c:\windows\pdf995.ini
2009-06-27 10:06 59 a------- c:\windows\wpd99.drv
2009-06-27 10:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\pdf995
2009-06-27 10:06 249,856 a------- c:\windows\system32\pdfmona.dll
2009-06-27 10:06 51,716 a------- c:\windows\system32\pdf995mon.dll
2009-06-27 10:06 <DIR> --d----- c:\program files\pdf995
2009-06-26 18:57 <DIR> --d----- c:\program files\XEmacs
2009-06-26 17:36 <DIR> --d----- c:\program files\Microsoft ActiveSync
2009-06-26 16:54 <DIR> --d----- c:\program files\Zylom Games
2009-06-26 16:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Zylom
2009-06-26 13:03 <DIR> --dsh--- c:\windows\ftpcache
2009-06-26 12:55 <DIR> --d----- C:\My Games
2009-06-26 12:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\RealArcade
2009-06-26 12:54 <DIR> --d----- C:\users
2009-06-26 12:53 <DIR> --d----- c:\program files\RealArcade
2009-06-26 09:36 <DIR> --dsh--- c:\documents and settings\carrie\PrivacIE
2009-06-26 09:20 <DIR> --dsh--- c:\documents and settings\carrie\IETldCache
2009-06-26 09:20 <DIR> --d----- c:\documents and settings\Carrie
2009-06-25 17:35 51 a------- c:\windows\iTouch.ini
2009-06-25 16:58 <DIR> --d----- c:\documents and settings\carrie\Saved Games
2009-06-25 16:50 <DIR> --d----- c:\documents and settings\carrie\WINDOWS
2009-06-25 16:50 <DIR> --d----- c:\documents and settings\carrie\.javaws
2009-06-25 16:50 <DIR> --d----- c:\documents and settings\carrie\.java
2009-06-25 16:50 <DIR> --d----- c:\documents and settings\carrie\.jpi_cache
2009-06-25 16:50 <DIR> --d----- c:\documents and settings\carrie\.freeguide
2009-06-25 15:27 <DIR> --d----- C:\Incoming
2009-06-25 15:26 <DIR> --d----- c:\program files\DNA
2009-06-25 15:26 <DIR> --d----- c:\program files\BitTorrent
2009-06-25 15:01 12,953 a------- c:\windows\system32\drivers\itchfltr.sys
2009-06-25 15:01 37,887 -------- c:\windows\system32\drivers\Lhidusb.sys
2009-06-25 15:01 14,095 -------- c:\windows\system32\drivers\LCCFLTR.SYS
2009-06-25 15:01 54,784 a------- c:\windows\system32\MSVCI70.DLL
2009-06-25 15:01 <DIR> --d----- c:\program files\common files\Logitech
2009-06-25 14:39 <DIR> --d----- c:\windows\ie8updates
2009-06-25 14:37 <DIR> -cd-h--- c:\windows\ie8
2009-06-25 14:34 102,912 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-06-25 14:34 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-06-25 14:34 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-06-25 14:34 1,985,024 -c------ c:\windows\system32\dllcache\iertutil.dll
2009-06-25 14:34 11,064,832 -c------ c:\windows\system32\dllcache\ieframe.dll
2009-06-25 14:18 203,136 -c------ c:\windows\system32\dllcache\rmcast.sys
2009-06-25 14:18 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-06-25 14:18 333,952 -c------ c:\windows\system32\dllcache\srv.sys
2009-06-25 14:18 331,776 -c------ c:\windows\system32\dllcache\msadce.dll
2009-06-25 14:18 691,712 -c------ c:\windows\system32\dllcache\inetcomm.dll
2009-06-25 14:17 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-06-25 14:17 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-06-25 14:17 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-06-25 14:16 337,408 -c------ c:\windows\system32\dllcache\netapi32.dll
2009-06-25 14:16 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll
2009-06-25 14:08 221,184 a------- c:\windows\system32\wmpns.dll
2009-06-25 13:53 375,519 -c------ c:\windows\system32\dllcache\nuskin.wmv
2009-06-25 13:49 <DIR> --d----- c:\windows\ServicePackFiles
2009-06-25 13:48 294,912 -c------ c:\windows\system32\dllcache\dlimport.exe
2009-06-25 13:46 <DIR> --d----- c:\windows\network diagnostic
2009-06-25 13:46 44,928 -------- c:\windows\system32\drivers\agpcpq.sys
2009-06-25 13:46 43,008 -------- c:\windows\system32\drivers\amdagp.sys
2009-06-25 13:46 42,752 -------- c:\windows\system32\drivers\alim1541.sys
2009-06-25 13:46 4,255 -------- c:\windows\system32\drivers\adv01nt5.dll
2009-06-25 13:46 3,967 -------- c:\windows\system32\drivers\adv02nt5.dll
2009-06-25 13:46 3,775 -------- c:\windows\system32\drivers\adv11nt5.dll
2009-06-25 13:46 3,711 -------- c:\windows\system32\drivers\adv09nt5.dll
2009-06-25 13:46 3,647 -------- c:\windows\system32\drivers\adv07nt5.dll
2009-06-25 13:46 3,615 -------- c:\windows\system32\drivers\adv05nt5.dll
2009-06-25 13:46 3,135 -------- c:\windows\system32\drivers\adv08nt5.dll
2009-06-25 13:44 19,569 a------- c:\windows\002948_.tmp
2009-06-25 11:33 <DIR> --d----- c:\windows\system32\PreInstall
2009-06-25 11:31 31,768 a------- c:\windows\system32\wucltui.dll.mui
2009-06-25 11:31 18,456 a------- c:\windows\system32\wuaueng.dll.mui
2009-06-25 11:31 23,576 a------- c:\windows\system32\wuaucpl.cpl.mui
2009-06-25 11:31 23,576 a------- c:\windows\system32\wuapi.dll.mui
2009-06-25 11:31 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-06-25 10:58 <DIR> --d----- c:\windows\system32\URTTemp
2009-06-25 10:54 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2009-06-25 10:53 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_LUsbFilt_01005.Wdf
2009-06-25 10:53 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-06-25 10:53 26,144 a------- c:\windows\system32\spupdsvc.exe
2009-06-25 10:52 301,656 a------- c:\windows\system32\BtCoreIf.dll
2009-06-25 10:52 170,512 a------- c:\windows\system32\kemutb.dll
2009-06-25 10:52 141,840 a------- c:\windows\system32\KemUtil.dll
2009-06-25 10:52 117,264 a------- c:\windows\system32\KemWnd.dll
2009-06-25 10:52 76,304 a------- c:\windows\system32\KemXML.dll
2009-06-25 10:11 25,856 a------- c:\windows\system32\drivers\usbprint.sys
2009-06-25 10:09 32,128 a------- c:\windows\system32\drivers\usbccgp.sys
==================== Find3M ====================
2009-06-25 13:56 87,263 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-05-13 01:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll
============= FINISH: 0:26:20.15 ===============