Computing.Net > Forums > Security and Virus > Belt.Exe TROJAN

Specialty Forums
Security and Virus
General Hardware
CPUs/Overclocking
Networking
Digital Photo/Video
Office Software
PC Gaming
Console Gaming
Programming
Database
Web Development
Digital Home

General Forums
Windows XP
Windows Vista
Windows 95/98
Windows Me
Windows NT
Windows 2000
Win Server 2008
Win Server 2003
Windows 3.1
Linux
PDAs
BeOS
Novell Netware
OpenVMS
Solaris
Disk Op. System
Unix
Mac
OS/2

Drivers
Driver Scan
Driver Forum

Software
Automatic Updates

BIOS Updates

My Computing.Net

Howtos

Site Search

Message Find

Data Recovery

About

Belt.Exe TROJAN

Reply to Message Icon
Original Message
Name: Sara
Date: November 19, 2003 at 16:37:42 Pacific
Subject: Belt.Exe TROJAN
OS: windows xp
CPU/Ram: dunno
Comment:

Hi,

I really need help getting rid of the belt.exe trojan. I've tried spybot and adware without luck so now i ran hijackthis and i need someone to help me identify the problem.

Thanks!!!!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
C:\Program Files\Norton Personal Firewall\ATRACK.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Documents and Settings\Sara\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ca.msn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Sympatico
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.ca.msn.com/
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Sara\Application Data\Mozilla\Profiles\default\7vaixhwa.slt\prefs.js)
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O3 - Toolbar: WhyPPC - {92F02779-6D88-4958-8AD3-83C12D86ADC7} - C:\WINDOWS\Downloaded Program Files\CONFLICT.1\toolbar.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WebInstall2] C:\DOCUME~1\Sara\LOCALS~1\Temp\ins5F2.tmp /R
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O8 - Extra context menu item: &IE Toolbar search - res://C:\WINDOWS\Downloaded Program Files\CONFLICT.1\toolbar.dll/SEARCH.HTML
O9 - Extra button: WhyPPC (HKLM)
O9 - Extra 'Tools' menuitem: WhyPPC (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.substance.com/save/makeover.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {73F0FD85-BD47-4A95-86D1-DE38860462C1} (PremiumHTML Class) - http://www.accesoplugin.com/dialercab/IberoDialerHTML.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {92F02779-6D88-4958-8AD3-83C12D86ADC7} (WhyPPC) - http://69.57.140.27/~popinads/tbar/toolbar.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{09B42C92-4D53-474E-B76A-962A3DECB231}: NameServer = 198.235.216.110 207.236.176.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{09B42C92-4D53-474E-B76A-962A3DECB231}: NameServer = 198.235.216.110 207.236.176.12



Report Offensive Message For Removal

Response Number 1
Name: blender
Date: November 19, 2003 at 17:55:39 Pacific
Subject: Belt.Exe TROJAN
Reply: (edit)

First open task manager and look for this process "mwsoemon.exe" and end process on it if it is there. If not listed don't worry about it.
Have only hijackthis running and check the following items to fix.
You will NEED to reboot the computer when done.
All deletions are recoverable.

Mywebsearch bar came with your smiley central thing...(the 2000 smileys) and will keep installing all
kinds of crap, updating itself in the background without you knowing which will eventually lead to
more hijacks and system slowdowns/problems.

O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL

O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL

O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL

O3 - Toolbar: WhyPPC - {92F02779-6D88-4958-8AD3-83C12D86ADC7} - C:\WINDOWS\Downloaded Program Files\CONFLICT.1\toolbar.dll

(whyppc will eventually cause same problems as above, including changing your home page.)

O4 - HKLM\..\Run: [WebInstall2] C:\DOCUME~1\Sara\LOCALS~1\Temp\ins5F2.tmp /R

O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

O8 - Extra context menu item: &IE Toolbar search - res://C:\WINDOWS\Downloaded Program Files\CONFLICT.1\toolbar.dll/SEARCH.HTML

O9 - Extra button: WhyPPC (HKLM)

O9 - Extra 'Tools' menuitem: WhyPPC (HKLM)

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab

O16 - DPF: {92F02779-6D88-4958-8AD3-83C12D86ADC7} (WhyPPC) - http://69.57.140.27/~popinads/tbar/toolbar.cab

If you have nothing to do with any web hosting company or are not building a website or have no idea why the last item is there...a dialer..
then you can fix it too.

O16 - DPF: {73F0FD85-BD47-4A95-86D1-DE38860462C1} (PremiumHTML Class) - http://www.accesoplugin.com/dialercab/IberoDialerHTML.cab

When you reboot the machine delete the following files if they exist.

c:\program files\my web search <-this folder

With windows explorer run a search for ins5F2.tmp and delete it too.

Good luck and hope that helps.


Report Offensive Follow Up For Removal

Response Number 2
Name: wildhart
Date: November 20, 2003 at 21:54:06 Pacific
Subject: Belt.Exe TROJAN
Reply: (edit)

For those that dont know how to get rid of the belt.exe. To get rid of these. Go to start right click then click on explore, go to the top of the page and click search, click on all files and folders, then put in belt.exe and search, right click on it if it shows up and delete it. Then do the same over and type in belt.exe and do the advance search check the search hidden files
and folders and delete. They sould be gone. This worked for me. I am fine now.
Good luck. This one had me stumped for days.



Report Offensive Follow Up For Removal

Response Number 3
Name: ksprecher
Date: November 21, 2003 at 18:32:59 Pacific
Subject: Belt.Exe TROJAN
Reply: (edit)

i'm gonna try response two, however, my problem is a missing msinfo.exe file which is in win.ini file. i have unzipped cwshredder, and saved, and ran and found and removed and rebooted and this message still appears, so i was lead here. i think i should try response 2, but any help will be most appreciated...


Report Offensive Follow Up For Removal

Response Number 4
Name: Vaeldadar
Date: November 23, 2003 at 19:36:03 Pacific
Subject: Belt.Exe TROJAN
Reply: (edit)

Hello, I have been guided to this page to see if anyone can help me out with some spyware issues and I know I have belt.exe. I have tried deleting it twice and still have been unsuccessful. Here is my log from Hijackthis.
All help will be most appreciated, thanks!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\desk98.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Aanaddar\Application Data\osah.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Aanaddar\Desktop\HijackThis.exe
C:\Program Files\Winamp\winamp.exe

O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\bi.dll
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HydraVisionDesktopManager] desk98.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Ad Blocker Pro] "C:\Program Files\WyvernWorks\Ad Away 2003\Ad Blocker Pro.exe" -minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Espc] C:\Documents and Settings\Aanaddar\Application Data\osah.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: Run DAP (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download2.abetterinternet.com/download/cabs/FON19106/flash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37818.5655324074
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/ym/yiebio5_1_6_0.cab
O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://http.gamezone.tukati.com/tukati/1.7.20.20/tukati.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{19737885-91F1-4039-BC85-DBBBD3CC395F}: NameServer = 209.63.0.2 207.173.86.2


Report Offensive Follow Up For Removal







Use following form to reply to current message: 

   Name: From My Computing.Net Settings
 E-Mail: From My Computing.Net Settings

Subject: Belt.Exe TROJAN

Comments:
         

 


  Homepage URL (*): 
Homepage Title (*): 
         Image URL:
 
Data Recovery Software



Parallels and Windows Domains

OS Install Failure

Vista and Dual Core Athlon

How to stop scanning while opening

open dialog

All Posts Awaiting Replies