|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
07-01-2009, 12:36 PM
|
#1 (permalink) |
|
Registered User
Join Date: Jul 2009
Posts: 4
OS: Windows XP SP3
|
PC Problems: Phantom Messages
My recently refurbished XP machine has developed some really weird problems.
Among them: 1) Phantom mouse click sounds when noone is using the mouse 2) Numerous "process XXXXXX cannot access memory location YYYYY"; the numbers change everytime. 3) Many "b.exe cannot access system resources" error messages. 4) same as 3) but for msb.exe 5) Programs that used to work suddenly take forever to load, or never do. Particularly RealArcade games 6) Once a sound message "You have just won a Walmart gift card, click on the link" played like some ad bars do when no browser was open and there was therefore no link to click. 7) This morning the same as 6) except this time is sounded like a video clip from a talk show when no browser was open and no video was being shown. I this case I had time to check the Task Manager>Processes viewer and "msb.exe" was using most of the CPU time. when I killed the msb.exe process, the sound clip stopped. I have run several antivirus programs (Symantec, ClamAV, Avast! Bart CD) and AdAware and Spybot to no avail. I already looked up b.exe and msb.exe online and found suggestions for where they should be if the are likely to be legit/malicious. Using windows search, msb.exe appears to be where it should be and the size it should be, and b.exe doesn't appear at all! I have attached the logs from dds and gmer. HELP! John DDS (Ver_09-06-26.01) - NTFSx86 Run by Carrie at 0:25:49.28 on Wed 07/01/2009 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_12 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.241 [GMT -4:00] AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe svchost.exe svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Logitech\iTouch\iTouch.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Microsoft ActiveSync\Wcescomm.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\VIA\RAID\raid_tool.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe C:\PROGRA~1\MI3AA1~1\rapimgr.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe C:\WINDOWS\msb.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\DOCUME~1\Carrie\LOCALS~1\Temp\b.exe H:\Malware Removal Help\dds.scr ============== Pseudo HJT Report =============== BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\Wcescomm.exe" uRun: [Cognac] c:\docume~1\carrie\locals~1\temp\b.exe uRun: [ColdWare] c:\windows\msb.exe mRun: [IgfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe" mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe" mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE mRun: [zBrowser Launcher] c:\program files\logitech\itouch\iTouch.exe mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" StartupFolder: c:\docume~1\carrie\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\viarai~1.lnk - c:\program files\via\raid\raid_tool.exe IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1245943860359 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL Notify: igfxcui - igfxsrvc.dll Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\carrie\applic~1\mozilla\firefox\profiles\jmrt6h5g.default\ FF - prefs.js: browser.startup.homepage - hxxp://us.mc508.mail.yahoo.com/mc/welcome?.gx=0&.tm=1246215164&.rand=ad02pfut7157q#_pg=showFolder;_ylc=X3oDMTBuZWpiMG10BF9TAzM5ODMwMTAxNARhYwNkZWxNc2dz&&filterBy=&fid=Inbox&nsc&hash=63676606ab51d928aa7608f3fe37c695&.jsrand=9909989|https://webmail.psu.edu/webmail/main...e.php?ref=home FF - plugin: c:\documents and settings\all users\application data\realarcade\npraclient.dll FF - plugin: c:\documents and settings\all users\application data\zylom\zylomgamesplayer\npzylomgamesplayer.dll FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll FF - plugin: c:\program files\mozilla firefox\plugins\npraclient.dll FF - plugin: c:\program files\mozilla firefox\plugins\npzylomgamesplayer.dll FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} ============= SERVICES / DRIVERS =============== R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-8-14 108392] R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-8-14 108392] R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2008-12-8 2440120] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-6-28 101936] R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090630.032\NAVENG.SYS [2009-6-30 89104] R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090630.032\NAVEX15.SYS [2009-6-30 876144] S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-11-18 23888] S3 iComp;Hauppauge WinTV PVR2 USB2 Encoder;c:\windows\system32\drivers\HCWUSB2.sys [2003-2-27 1464672] =============== Created Last 30 ================ 2009-06-30 15:50 <DIR> --d----- c:\docume~1\carrie\applic~1\Eyeblaster 2009-06-30 15:49 <DIR> --d----- c:\windows\system32\LogFiles 2009-06-29 19:16 <DIR> --d----- c:\docume~1\carrie\applic~1\gemsweeperextractedgfx 2009-06-29 19:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\My Games 2009-06-28 19:28 117,252 a------- c:\windows\msb.exe 2009-06-28 19:23 351 a------- c:\windows\system32\hjgruipywwsbbb.dat 2009-06-28 19:22 4 a------- c:\windows\system32\MSIVXcount 2009-06-28 19:22 78,336 a------- c:\windows\system32\drivers\MSIVXaxkfhmkvqvcbkcvoqtrrytrnyrdvmdrs.sys 2009-06-28 19:22 117,252 a------- c:\windows\msa.exe 2009-06-28 19:22 205,828 a------- c:\windows\system32\msxml71.dll 2009-06-27 17:47 <DIR> --d----- c:\program files\InfraRecorderPortable 2009-06-27 16:06 <DIR> --d----- c:\program files\Lame for Audacity 2009-06-27 14:47 <DIR> --d----- c:\program files\Canon 2009-06-27 14:41 <DIR> --d----- c:\docume~1\carrie\applic~1\BitTorrent 2009-06-27 11:41 <DIR> --d----- c:\documents and settings\carrie\10DaysUnderTheSea 2009-06-27 10:07 28 a------- c:\windows\pdf995.ini 2009-06-27 10:06 59 a------- c:\windows\wpd99.drv 2009-06-27 10:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\pdf995 2009-06-27 10:06 249,856 a------- c:\windows\system32\pdfmona.dll 2009-06-27 10:06 51,716 a------- c:\windows\system32\pdf995mon.dll 2009-06-27 10:06 <DIR> --d----- c:\program files\pdf995 2009-06-26 18:57 <DIR> --d----- c:\program files\XEmacs 2009-06-26 17:36 <DIR> --d----- c:\program files\Microsoft ActiveSync 2009-06-26 16:54 <DIR> --d----- c:\program files\Zylom Games 2009-06-26 16:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Zylom 2009-06-26 13:03 <DIR> --dsh--- c:\windows\ftpcache 2009-06-26 12:55 <DIR> --d----- C:\My Games 2009-06-26 12:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\RealArcade 2009-06-26 12:54 <DIR> --d----- C:\users 2009-06-26 12:53 <DIR> --d----- c:\program files\RealArcade 2009-06-26 09:36 <DIR> --dsh--- c:\documents and settings\carrie\PrivacIE 2009-06-26 09:20 <DIR> --dsh--- c:\documents and settings\carrie\IETldCache 2009-06-26 09:20 <DIR> --d----- c:\documents and settings\Carrie 2009-06-25 17:35 51 a------- c:\windows\iTouch.ini 2009-06-25 16:58 <DIR> --d----- c:\documents and settings\carrie\Saved Games 2009-06-25 16:50 <DIR> --d----- c:\documents and settings\carrie\WINDOWS 2009-06-25 16:50 <DIR> --d----- c:\documents and settings\carrie\.javaws 2009-06-25 16:50 <DIR> --d----- c:\documents and settings\carrie\.java 2009-06-25 16:50 <DIR> --d----- c:\documents and settings\carrie\.jpi_cache 2009-06-25 16:50 <DIR> --d----- c:\documents and settings\carrie\.freeguide 2009-06-25 15:27 <DIR> --d----- C:\Incoming 2009-06-25 15:26 <DIR> --d----- c:\program files\DNA 2009-06-25 15:26 <DIR> --d----- c:\program files\BitTorrent 2009-06-25 15:01 12,953 a------- c:\windows\system32\drivers\itchfltr.sys 2009-06-25 15:01 37,887 -------- c:\windows\system32\drivers\Lhidusb.sys 2009-06-25 15:01 14,095 -------- c:\windows\system32\drivers\LCCFLTR.SYS 2009-06-25 15:01 54,784 a------- c:\windows\system32\MSVCI70.DLL 2009-06-25 15:01 <DIR> --d----- c:\program files\common files\Logitech 2009-06-25 14:39 <DIR> --d----- c:\windows\ie8updates 2009-06-25 14:37 <DIR> -cd-h--- c:\windows\ie8 2009-06-25 14:34 102,912 -c------ c:\windows\system32\dllcache\iecompat.dll 2009-06-25 14:34 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll 2009-06-25 14:34 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll 2009-06-25 14:34 1,985,024 -c------ c:\windows\system32\dllcache\iertutil.dll 2009-06-25 14:34 11,064,832 -c------ c:\windows\system32\dllcache\ieframe.dll 2009-06-25 14:18 203,136 -c------ c:\windows\system32\dllcache\rmcast.sys 2009-06-25 14:18 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys 2009-06-25 14:18 333,952 -c------ c:\windows\system32\dllcache\srv.sys 2009-06-25 14:18 331,776 -c------ c:\windows\system32\dllcache\msadce.dll 2009-06-25 14:18 691,712 -c------ c:\windows\system32\dllcache\inetcomm.dll 2009-06-25 14:17 2,560 -------- c:\windows\system32\xpsp4res.dll 2009-06-25 14:17 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb 2009-06-25 14:17 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe 2009-06-25 14:16 337,408 -c------ c:\windows\system32\dllcache\netapi32.dll 2009-06-25 14:16 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll 2009-06-25 14:08 221,184 a------- c:\windows\system32\wmpns.dll 2009-06-25 13:53 375,519 -c------ c:\windows\system32\dllcache\nuskin.wmv 2009-06-25 13:49 <DIR> --d----- c:\windows\ServicePackFiles 2009-06-25 13:48 294,912 -c------ c:\windows\system32\dllcache\dlimport.exe 2009-06-25 13:46 <DIR> --d----- c:\windows\network diagnostic 2009-06-25 13:46 44,928 -------- c:\windows\system32\drivers\agpcpq.sys 2009-06-25 13:46 43,008 -------- c:\windows\system32\drivers\amdagp.sys 2009-06-25 13:46 42,752 -------- c:\windows\system32\drivers\alim1541.sys 2009-06-25 13:46 4,255 -------- c:\windows\system32\drivers\adv01nt5.dll 2009-06-25 13:46 3,967 -------- c:\windows\system32\drivers\adv02nt5.dll 2009-06-25 13:46 3,775 -------- c:\windows\system32\drivers\adv11nt5.dll 2009-06-25 13:46 3,711 -------- c:\windows\system32\drivers\adv09nt5.dll 2009-06-25 13:46 3,647 -------- c:\windows\system32\drivers\adv07nt5.dll 2009-06-25 13:46 3,615 -------- c:\windows\system32\drivers\adv05nt5.dll 2009-06-25 13:46 3,135 -------- c:\windows\system32\drivers\adv08nt5.dll 2009-06-25 13:44 19,569 a------- c:\windows\002948_.tmp 2009-06-25 11:33 <DIR> --d----- c:\windows\system32\PreInstall 2009-06-25 11:31 31,768 a------- c:\windows\system32\wucltui.dll.mui 2009-06-25 11:31 18,456 a------- c:\windows\system32\wuaueng.dll.mui 2009-06-25 11:31 23,576 a------- c:\windows\system32\wuaucpl.cpl.mui 2009-06-25 11:31 23,576 a------- c:\windows\system32\wuapi.dll.mui 2009-06-25 11:31 <DIR> --d----- c:\windows\system32\SoftwareDistribution 2009-06-25 10:58 <DIR> --d----- c:\windows\system32\URTTemp 2009-06-25 10:54 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf 2009-06-25 10:53 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_LUsbFilt_01005.Wdf 2009-06-25 10:53 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf 2009-06-25 10:53 26,144 a------- c:\windows\system32\spupdsvc.exe 2009-06-25 10:52 301,656 a------- c:\windows\system32\BtCoreIf.dll 2009-06-25 10:52 170,512 a------- c:\windows\system32\kemutb.dll 2009-06-25 10:52 141,840 a------- c:\windows\system32\KemUtil.dll 2009-06-25 10:52 117,264 a------- c:\windows\system32\KemWnd.dll 2009-06-25 10:52 76,304 a------- c:\windows\system32\KemXML.dll 2009-06-25 10:11 25,856 a------- c:\windows\system32\drivers\usbprint.sys 2009-06-25 10:09 32,128 a------- c:\windows\system32\drivers\usbccgp.sys ==================== Find3M ==================== 2009-06-25 13:56 87,263 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat 2009-05-13 01:15 915,456 a------- c:\windows\system32\wininet.dll 2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll 2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys 2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll ============= FINISH: 0:26:20.15 =============== |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
07-02-2009, 11:43 PM
|
#2 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,610
OS: WinXP and Vista
|
Re: PC Problems: Phantom Messages
Hello John,
I do not see the log from the gmer scan. Please attach it in your next reply so we may begin. |
|
|
|
|
07-06-2009, 09:39 AM
|
#3 (permalink) |
|
Registered User
Join Date: Jul 2009
Posts: 4
OS: Windows XP SP3
|
Re: PC Problems: Phantom Messages
No point now. The system locked up and I had to reimage the drive from the original. No problems now.
Besides, the uploader won't let me upload attach.zip. Says its already there in another thread... Problems with my PC: The Phantom Messages |
|
|
|
|
07-06-2009, 07:34 PM
|
#4 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,610
OS: WinXP and Vista
|
Re: PC Problems: Phantom Messages
Thanks for letting me know. Since you had a clean image, that is truly the best solution to ensure all traces of the malware that was present, is indeed gone.
|
|
|
|
| Thread Tools | |
|
|
