Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93100 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

SLX.EXElllllllllllllllllllt


  • This topic is locked This topic is locked
5 replies to this topic

#1 chris1001

chris1001

    Authentic Member

  • Authentic Member
  • PipPip
  • 30 posts

Posted 10 April 2006 - 12:18 PM

I have tried AVG, Spybot, Spydoctor, and Prevx1, and none of these can shift this stubborn virus. Can anyone help? Its located in C:\WINDOWS\system32 and the 'l's are not letters, but bars! Many thanks, Chris

    Advertisements

Register to Remove


#2 chris1001

chris1001

    Authentic Member

  • Authentic Member
  • PipPip
  • 30 posts

Posted 10 April 2006 - 12:27 PM

Logfile of HijackThis v1.99.1
Scan saved at 18:50:58, on 10/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Prevx1\PXConsole.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = =http://www.btbusinessoffice.com/searchpane
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.btbusinessoffice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.viplegal.com/search
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Internet Explorer Updater] C:\WINDOWS\system32\lexbac.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [BTB Connect] "c:\program files\btb connect\DialBTCPAYG.exe" /ReInstallAutoDial
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PrevxOne] C:\Program Files\Prevx1\PXConsole.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O13 - DefaultPrefix:
O13 - WWW Prefix:
O16 - DPF: {2048B51E-8D74-4762-82CE-B48CF545EEEA} - http://fred.gibralta...aler/eu_cax.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1137541739430
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1141668891676
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{0933C58D-D963-465E-BF2A-86741D0F5CD3}: NameServer = 85.255.114.196
O17 - HKLM\System\CS1\Services\Tcpip\..\{0933C58D-D963-465E-BF2A-86741D0F5CD3}: NameServer = 85.255.114.196
O19 - User stylesheet: (file missing)
O21 - SSODL: AVG7Uninstall - {F102D551-5E71-1C73-9529-A8E9315F1D11} - c:\program files\grisoft\avg free\wvbot32.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

#3 shelf life

shelf life

    SuperMember

  • Visiting Fellow
  • PipPipPipPipPip
  • 3,191 posts

Posted 17 April 2006 - 07:10 AM

hi chris1001, can you see the .exe in the system32 dir? do this: FOr XP: on the desktop double click my computer,go to tools>folder options>view> then select "show hidden files and folders", then UNcheck "hide protected operating system files " also UNcheck "hide extensions for known file types" click apply to all folders, apply then ok if you can find it, delete it. if it gives you problems. reboot computer into safe mode. you reach safe mode by tapping the f8 key during a restart of the computer. try deleting it in safe mode. shelf life
How Can I Reduce My Risk?

#4 chris1001

chris1001

    Authentic Member

  • Authentic Member
  • PipPip
  • 30 posts

Posted 17 April 2006 - 08:30 AM

Thank you Shelf Life, it worked. I can't believe it actually deleted without any troubles. I am most grateful for your help, thanks again. Chris1001

#5 shelf life

shelf life

    SuperMember

  • Visiting Fellow
  • PipPipPipPipPip
  • 3,191 posts

Posted 17 April 2006 - 04:43 PM

hi chris1001,

good, glad to help. some reference material for you:

Be careful of what you download, and where you download it from. Many programs come bundled with extra software.You may be installing more than you think. Make sure you understand what it is you will be downloading and installing to your computer. Visit the makers website, learn more about the program, Does the program you want come bundled with other "3rd party" programs? What do the 3rd party programs do? Will they deliver ads? Track your surfing habits?. Read the EULA agreement, you know, that paragraph of stuff you "agree to" before the software installs? If you search hard enough you can always find a "clean" alternative to any software. Stay away from warez and crack sites. Becarful what you download from file sharing networks. If you are not sure, scan it with your Antivirus app. A small file (in KB) is probably not what you think it is. DO YOU TRUST THE SOURCE?

Make sure you keep your Windows OS current by visiting Windows update
occasionaly to download and install any critical updates and service packs. With out these you are leaving the backdoor open.

Adjust your browser settings: Change your(active x) settings in IE. With IE open go to tools, internet options, security tab. Click on the internet globe, then custom level. Set the first option "download signed active x controls" to prompt, the next two to disable. Read more:
Internet Explorer Privacy & Security Settings
Working with Internet Explorer 6 Security
Many exploits are directed at Internet Explorer, you dont have to use it. Try a different browser. You can have and use more than one browser on your computer.
Like Firefox,


Install a Firewall:A firewall will control what comes in from the internet and what leaves your computer to the internet. A firewall will also alert you when a application trys to connect to the internet from your computer, this is a good way to catch crapware or trojans, trying to connect out bound from your computer- whats that and why does it need a internet connection? You can deny it access it until more investigation is done. Zone Alarm is a free and easy to use firewall, that will provide in and outbound protection. Microsoft XP firewall only provides inbound protection. SP2 adds in and out bound protection which is better than nothing, but is not as robust as third party firewalls, Be sure to run only >one< firewall.If you use another, be sure to disable XP's built in firewall. If you use Zone Alarm learn what needs/uses your internet connection. If something unusal or out of the ordinary "asks" deny it access until more investigation is done.
Zone Alarm
OutPost Lite

Outlook Express with the default settings is not secure. It will run scripts, download images etc, just like a browser. You dont have to use it.
look here
and here
Or try Pegasus Mail, safer by default,no tweaking needed.

Make sure you have and keep updated Antivirus software
Free for home users:
avast! 4 Home Edition Download
AVG free version 7.0
AntiVir Personal Edition

Download one or two of these, install and update before using:(if these are constantly finding malware, then you need to make changes to your browser and or your habits)
CounterSpy Free trial version
Spybot Search and destroy
Ad-Aware SE Personal edition
Microsoft Windows Defender
Becarful with spyware "removers and scanners"-- there are many "rogue/suspect" programs that "claim to remove" spyware.Check here first.

AntiTrojan software to fill in the gap:
a2 free
Ewido Anti-Malware
Trojan Hunter (30 day trial version)
Tauscan trial version

Other programs to consider:
Process Guard stop events/processes with user intervention
SpywareBlaster add security to IE
IE-SPYAD adds adware peddlers sites/domains to IE restricted zone
CleanUp cleans out temp files,history, autoforms etc
ATF cleaner (W2K,XP only) cleans out temp files, history etc

Learn More:
Browser Checkup
Parasite Free
Safe Hex
Shelf Lifes page
Home Computer Security
How Can I Reduce My Risk?

#6 shelf life

shelf life

    SuperMember

  • Visiting Fellow
  • PipPipPipPipPip
  • 3,191 posts

Posted 02 July 2006 - 12:48 PM

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php
How Can I Reduce My Risk?

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users